handoff
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill ingests conversation history to generate a 'Resume Prompt' and 'Next Steps' for future sessions, creating a surface where adversarial content in the history could influence the next agent's behavior.
- Ingestion points: Current session context and git branch information.
- Boundary markers: Uses standard Markdown headers but lacks explicit 'ignore' delimiters for the summarized content.
- Capability inventory: File system writes, shell execution via git and mktemp, and configuration modification via update-config.
- Sanitization: Implements a 'Point, don't paste' rule to prevent the direct inclusion of large file contents which reduces the direct injection surface.
- [COMMAND_EXECUTION]: Executes shell commands to detect the environment and manage local files.
- Evidence: git rev-parse --abbrev-ref HEAD and mktemp -t handoff-XXXXXX.md.
- [PERSISTENCE_MECHANISMS]: Offers to modify the agent's configuration to automate handoff triggers.
- Evidence: Proposes setting up a /handoff slash command or a Stop hook using the update-config skill.
Audit Metadata