project-spawn
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill creates a multi-step context handoff chain by extracting information from the current conversation history and writing it to a PROJECT_HANDOFF.md file, which is then automatically read by the next agent session.
- Ingestion points: Conversation history (last 5-10 messages) as described in SKILL.md Step 2.
- Boundary markers: Absent. The skill does not define delimiters or provide instructions to the subsequent agent session to ignore potentially malicious embedded instructions in the handoff file.
- Capability inventory: The skill can execute shell scripts, manage tmux sessions, and perform file system and repository operations (Git/GitHub).
- Sanitization: Absent. No filtering or escaping is applied to the extracted context before it is written to the persistent handoff file.
- [COMMAND_EXECUTION]: The skill executes a local shell script spawn_session.sh with arguments derived from the conversation context. Although the script correctly uses double-quotes for variable expansion, the input path and session name are determined by the agent's interpretation of untrusted conversation data.
Audit Metadata