session-manager
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface identified in the session restoration logic. The skill automatically loads and displays context (notes, tasks, files) from previous sessions stored in
~/.musubix/sessions/. If a previous session involved interacting with untrusted content, such as summarizing a malicious document or analyzing untrusted code, an attacker could inject instructions into the session log that are subsequently obeyed when the agent restores that context.\n - Ingestion points:
scripts/session-start.shreads and parses markdown files from the local sessions directory to notify the agent of previous progress.\n - Boundary markers: No boundary markers or specialized instructions are used to distinguish restored context from current system instructions or to treat it as untrusted.\n
- Capability inventory: The agent has access to shell execution and file system manipulation, which are significant capabilities that could be targeted by an injection.\n
- Sanitization: No sanitization, filtering, or validation is performed on the content of the session files before they are presented to the agent context.\n- [COMMAND_EXECUTION]: The skill relies on local bash scripts (
session-start.shandsession-end.sh) to perform state management. These scripts use standard unix utilities likefind,sed,grep, andcatto manage files within the user's home directory. While functionally appropriate for a session manager, these represent the primary mechanism through which the agent interacts with the underlying system.
Audit Metadata