clear-context
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill provides explicit instructions for subagents to override safety protocols. It directs agents to 'DO NOT pause for user confirmation' and 'not ask the user for confirmation' when certain flags are present. This constitutes a direct attempt to bypass standard human-in-the-loop safety constraints.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its reliance on unvalidated state files. Subagents are instructed to follow execution modes and task lists derived from .claude/session-state.md, which is populated by processing potentially untrusted task data.
- Ingestion points: Subagents read operational instructions from .claude/session-state.md during the handoff workflow.
- Boundary markers: No delimiters or instructions are used to separate trusted state data from potentially malicious input injected by processed content.
- Capability inventory: Subagents have full access to tools like shell execution and file modification.
- Sanitization: There is no validation or sanitization of the state file content before it is processed by the continuation agent.
- [COMMAND_EXECUTION]: The skill facilitates the propagation of 'dangerous' and 'unattended' execution modes across sessions. These modes suppress confirmation for high-risk operations, enabling automated command execution without human oversight. This risk is amplified by the fact that these modes are inherited via a local file that could be influenced by task data.
Audit Metadata