Skills
skills/troykelly/codex-skills/worker-handover/Gen Agent Trust Hub

worker-handover

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface via GitHub issue comments.
  • Ingestion points: The skill instructs the agent to fetch untrusted data from GitHub using gh api "/repos/$OWNER/$REPO/issues/$ISSUE/comments" in the 'Receiving a Handover' section of SKILL.md.
  • Boundary markers: The process relies on <!-- HANDOVER:START --> and <!-- HANDOVER:END --> markers. These are weak delimiters as they can be easily spoofed by any user capable of commenting on the GitHub issue.
  • Capability inventory: The skill explicitly expects the agent to run commands found in the handover (e.g., pnpm test and other arbitrary shell blocks) and follow 'Recommended Next Steps' which are parsed directly from the comment body.
  • Sanitization: There is no evidence of author verification (checking if the comment came from a trusted worker/bot) or content sanitization. The logic simply selects the last comment containing the marker.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:36 PM