resume-work
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it restores session state from external artifacts and uses the retrieved information to dictate the agent's next steps.
- Ingestion points: Data is read from HANDOFF.json, .continue-here.md, and task_plan.md in Phase 1.
- Boundary markers: None. The instructions do not define delimiters or provide warnings to the agent to ignore potentially malicious instructions embedded in the handoff files.
- Capability inventory: The skill has access to Bash, Write, and Skill tools, enabling it to execute commands or trigger other skills based on the ingested state.
- Sanitization: None. The next_action and other fields from the handoff artifacts are processed without validation or escaping.
- [COMMAND_EXECUTION]: The skill exhibits a potential command injection surface in Phase 2, Step 1. It instructs the agent to execute git status --short -- for each entry in the uncommitted_files list from HANDOFF.json. If a filename contains shell metacharacters, it could lead to unintended command execution during the status check.
Audit Metadata