session-handoff

Warn

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands (grep, head, tail) using a transcript_path variable extracted from external JSON metadata. If the session metadata is maliciously crafted to include shell metacharacters (e.g., ;, &, |), it could lead to arbitrary command execution on the host system.\n- [DATA_EXFILTRATION]: The skill reads absolute file paths provided in the transcript_path field of session JSON files (e.g., /Users/alisha/.codex/sessions/...). This allows the agent to read files outside the project directory, potentially exposing sensitive system information or credentials if a malicious JSON file is processed.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).\n
  • Ingestion points: Reads session metadata from .git/entire-sessions/*.json and full conversation transcripts from absolute paths specified in those files.\n
  • Boundary markers: Absent. The skill does not provide delimiters or instructions to the agent to disregard instructions embedded within the transcript data.\n
  • Capability inventory: The agent has access to the entire CLI, grep, head, tail, cut, the Read tool, and the Glob tool.\n
  • Sanitization: Absent. There is no validation of the transcript path or the content of the transcript before it is processed and summarized for the agent to 'immediately pick up the work'.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 20, 2026, 12:49 PM
Security Audit — agent-trust-hub — session-handoff