cortexfs
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing bash commands via the 'cortex' CLI tool. Parameters such as 'content', 'id', and 'query' are passed as string arguments in shell commands (e.g., 'cortex save "" "" ""'). This pattern is vulnerable to shell command injection if the input contains metacharacters like backticks or subshell expansions.
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install an external global package, 'cortexfs-cli', using the command 'npm install -g cortexfs-cli'. While this is an expected dependency for the skill's functionality, it involves downloading and installing third-party code.
- [PROMPT_INJECTION]: The skill implements a persistent memory layer that is vulnerable to indirect prompt injection. Malicious instructions stored in the memory could be triggered when the agent performs mandatory 'search-first' operations.
- Ingestion points: Files 'commands/cortex-read.md', 'commands/cortex-search.md', and 'commands/cortex-load-state.md' retrieve external data into the agent's context.
- Boundary markers: The skill lacks any delimiters or instructions to treat retrieved memory content as untrusted data.
- Capability inventory: The skill provides full shell command execution via the CortexFS CLI.
- Sanitization: There is no evidence of sanitization or validation of data retrieved from the memory storage before it is processed by the agent.
Audit Metadata