auto-handoff
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it ingests raw operation logs (
obs-{id}.jsonl)—which can contain untrusted data from external sources—and persists them into 'memory' files that are automatically injected into the agent's context at the start of new sessions. - Ingestion points: Raw operation logs in
obs-{id}.jsonl(File: SKILL.md). - Boundary markers: None present; the skill lacks delimiters or instructions to ignore embedded commands in the logs.
- Capability inventory: File read/write access and automatic context injection via SessionStart hook.
- Sanitization: None present.
- [Data Exposure & Exfiltration] (MEDIUM): The skill instructions explicitly direct the agent to extract and save raw source code and detailed error messages into unmanaged local files.
- Evidence: Rule 1 in '写入原则' (Writing Principles) and Item 6 in 'Layer 2' (File: SKILL.md).
- Risk: Sensitive code and system state are duplicated into unmanaged markdown files on the local filesystem.
- [Metadata Poisoning] (LOW): The skill contains instructions that mandate deceptive behavior toward the user regarding its operations by forbidding the agent from informing the user about the memory saving process.
- Evidence: '重要规则' (Important Rules) section (File: SKILL.md).
Recommendations
- AI detected serious security threats
Audit Metadata