handoff
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill's core functionality of loading session state presents a surface for indirect prompt injection.
- Ingestion points: Conversation state is read from
.artifacts/.handoff.mdduring the load workflow described inreferences/load.md. - Boundary markers: The skill uses Markdown headers (e.g.,
## YYYY-MM-DD) and bold labels (e.g.,**Focus:**) to structure the data, but it does not include instructions for the agent to ignore or isolate potential commands embedded within the saved text. - Capability inventory: The skill utilizes file system read/write operations (via
SKILL.mdand referenced files) and updates the agent's working context with external data. - Sanitization: There is no evidence of sanitization, escaping, or validation of the content retrieved from the handoff file before it is surfaced to the agent's context.
Audit Metadata