agent-handoff
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill relies on reading shared files from the .ai/ directory (such as HANDOFF.md, PLAN.md, and session logs) to maintain state across different AI agents. This creates a surface for Indirect Prompt Injection, as a malicious actor who can modify files in the repository could inject instructions into these files to hijack the behavior of any agent that subsequently reads them.
- Ingestion points: The agent is instructed to read .ai/PROJECT.md, .ai/PATHS.md, .ai/PLAN.md, and .ai/conversations/HANDOFF.md at the start of every conversation.
- Boundary markers: The instructions do not define any delimiters or provide warnings to the agent to ignore embedded instructions within these shared files.
- Capability inventory: The skill requires file read/write permissions and uses shell commands (mkdir, find) as specified in the bootstrapping section of SKILL.md.
- Sanitization: There is no mention of sanitizing or validating the content of the shared files before the agent processes them as context.
- [COMMAND_EXECUTION]: The skill's bootstrapping process uses local shell commands to initialize the environment and discover project documentation.
- Evidence: SKILL.md contains instructions for the agent to run 'mkdir -p .ai/conversations/decisions .ai/conversations/sessions' and 'find {dir} -maxdepth 3 -type f ...' to map the project structure.
- While these commands are standard for project setup, they represent a capability that could be targeted if the agent's instructions were compromised.
Audit Metadata