handoff
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface.
- Ingestion point: The skill processes the current conversation history and user-supplied arguments as input for generating the handoff summary.
- Boundary markers: The instructions lack delimiters or specific warnings to ignore embedded commands within the ingested conversation data.
- Capability inventory: The skill has the capability to write files to the filesystem (temporary directory).
- Sanitization: While the skill explicitly instructs the agent to redact sensitive information like API keys and passwords, it does not include sanitization or filtering for instructional content found in the conversation history.
- Finding: Malicious instructions present in the conversation could be carried over into the 'suggested skills' section of the summary, potentially causing a future agent session to execute those skills without proper context or authorization.
- [COMMAND_EXECUTION]: Workspace Escape.
- Finding: The skill instructs the agent to save output to the OS temporary directory specifically 'not the current workspace.' This behavior moves data outside the primary project environment, which can be used to hide information or bypass workspace-specific security and audit constraints.
Audit Metadata