session-manager

Pass

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect prompt injection surface identified in the session restoration logic. The skill automatically loads and displays context (notes, tasks, files) from previous sessions stored in ~/.musubix/sessions/. If a previous session involved interacting with untrusted content, such as summarizing a malicious document or analyzing untrusted code, an attacker could inject instructions into the session log that are subsequently obeyed when the agent restores that context.\n
  • Ingestion points: scripts/session-start.sh reads and parses markdown files from the local sessions directory to notify the agent of previous progress.\n
  • Boundary markers: No boundary markers or specialized instructions are used to distinguish restored context from current system instructions or to treat it as untrusted.\n
  • Capability inventory: The agent has access to shell execution and file system manipulation, which are significant capabilities that could be targeted by an injection.\n
  • Sanitization: No sanitization, filtering, or validation is performed on the content of the session files before they are presented to the agent context.\n- [COMMAND_EXECUTION]: The skill relies on local bash scripts (session-start.sh and session-end.sh) to perform state management. These scripts use standard unix utilities like find, sed, grep, and cat to manage files within the user's home directory. While functionally appropriate for a session manager, these represent the primary mechanism through which the agent interacts with the underlying system.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 20, 2026, 09:23 AM
Security Audit — agent-trust-hub — session-manager