handoff
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bundled script scripts/handoff.py executes git commands (branch, rev-parse, status) to retrieve repository state via subprocess.run. These calls use hardcoded arguments and are limited to local repository metadata gathering.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting data from local project files (.docs/handoff.session, .docs/handoff.last-validation) to populate the handoff report. (1) Ingestion points: scripts/handoff.py reads from local .docs/handoff.session and .docs/handoff.last-validation marker files. (2) Boundary markers: The instructions in SKILL.md do not explicitly command the agent to ignore or delimit instructions found within these ingested files. (3) Capability inventory: The skill has file-write access (.docs/handoff.md) and local command execution (git). (4) Sanitization: Ingested text is parsed as logical bullets without content validation or escaping.
Audit Metadata