handing-off-sessions
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXPOSURE]: The script
scripts/gather-session-context.shcollects local system metadata, including the system username ($USER), shell environment ($SHELL), and absolute filesystem paths. While this is the intended functionality to facilitate session handoffs, users should be aware that this metadata is recorded in the generated handoff files. - [INDIRECT_PROMPT_INJECTION]: The skill processes data from potentially untrusted local sources.
- Ingestion points:
scripts/gather-session-context.shreads data from git commit messages, branch names, and filenames in the current directory. - Boundary markers: The script organizes output using markdown headers (e.g.,
## Git State) but lacks explicit delimiters or "ignore instructions" warnings to prevent the agent from following commands hidden within git logs or filenames. - Capability inventory: The skill allows the execution of local shell scripts and instructions for the agent to write files to the
.agent/handoffs/directory. - Sanitization: No sanitization, escaping, or validation is performed on the content retrieved from the filesystem or git history before it is interpolated into the agent's context.
Audit Metadata