Session Manager
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and stores untrusted data that is later displayed back to the agent.\n
- Ingestion points: User-provided strings for session names, descriptions, tasks, and notes are accepted as command-line arguments in session.js.\n
- Boundary markers: Absent. The data is retrieved and printed to the console without delimiters or instructions to ignore embedded commands.\n
- Capability inventory: The script uses the Node.js fs module in session.js to read, write, and delete files within the /job/tmp/.sessions directory. It lacks network access or arbitrary command execution capabilities.\n
- Sanitization: Filename sanitization is performed in session.js to prevent path traversal attacks, but the content of tasks and notes is stored and displayed without escaping or validation.
Audit Metadata