handoff
Pass
Audited by Gen Agent Trust Hub on Jul 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates the capture and persistence of session context, which creates an attack surface for indirect prompt injection (Category 8).
- Ingestion points: The skill ingests conversation thread history, PRD documents, plan files, and external issue metadata from sources like Linear or GitHub (as specified in
SKILL.mdandreferences/planning/build.md). - Boundary markers: The skill utilizes a predefined Markdown template for its output, but it does not employ specific delimiters (like XML tags or unique markers) to isolate untrusted user data from the instructions provided to the next agent.
- Capability inventory: The skill is capable of writing to the local file system and expects subsequent agents to perform operations such as code validation and investigation (referenced in
references/agent-routing.md). - Sanitization: The protocol includes a mandatory requirement to redact secrets, tokens, credentials, and PII before writing the handoff file, providing a degree of data protection, though it does not explicitly filter for adversarial instructions.
- [COMMAND_EXECUTION]: The skill and its associated documentation rely on local shell commands for workspace setup and project validation tasks.
- Evidence:
SKILL.mdinstructs the agent to usemkdir -pandmktempto manage ephemeral handoff files in the_agent/handoffs/directory. Additionally,references/agent-routing.mddefines the use of project-specific validation tools likevalidate:changed --pre-pras part of the agent's core routing invariants.
Audit Metadata