session-handoff
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands (
grep,head,tail) using atranscript_pathvariable extracted from external JSON metadata. If the session metadata is maliciously crafted to include shell metacharacters (e.g.,;,&,|), it could lead to arbitrary command execution on the host system.\n- [DATA_EXFILTRATION]: The skill reads absolute file paths provided in thetranscript_pathfield of session JSON files (e.g.,/Users/alisha/.codex/sessions/...). This allows the agent to read files outside the project directory, potentially exposing sensitive system information or credentials if a malicious JSON file is processed.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).\n - Ingestion points: Reads session metadata from
.git/entire-sessions/*.jsonand full conversation transcripts from absolute paths specified in those files.\n - Boundary markers: Absent. The skill does not provide delimiters or instructions to the agent to disregard instructions embedded within the transcript data.\n
- Capability inventory: The agent has access to the
entireCLI,grep,head,tail,cut, theReadtool, and theGlobtool.\n - Sanitization: Absent. There is no validation of the transcript path or the content of the transcript before it is processed and summarized for the agent to 'immediately pick up the work'.
Audit Metadata