handoff
Warn
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill's instructions in Step 1 and Step 2 explicitly suggest gathering "Test credentials if relevant" and including a "Credentials" section in the
CONTINUATION.mdfile. Storing sensitive authentication data in files tracked by version control is an unsafe practice. - [DATA_EXFILTRATION]: In Step 3, the skill executes
git push, which uploads the continuation file to a remote repository. If the file contains credentials or other sensitive information as suggested, this results in the exfiltration of that data to the remote host. - [COMMAND_EXECUTION]: The skill executes multiple shell commands, including
git add,git commit,git push, and clipboard utilities likepbcopy(macOS) andxclip(Linux) to manage the handoff process. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from the conversation history to generate summaries.
- Ingestion points: Aggregates state information (tasks, decisions, issues) from the current session context in
SKILL.md. - Boundary markers: None; there are no delimiters or instructions to ignore embedded commands in the gathered context.
- Capability inventory: Includes file system writes,
gitoperations, and system clipboard access inSKILL.md. - Sanitization: No validation or escaping is performed on the session data before it is interpolated into the generated files and prompts.
Audit Metadata