memos
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/memos.shexecutes standard system utilities includingcurl,jq,sed, andpython3to facilitate API requests, JSON processing, and URL encoding.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by fetching and displaying external data that could contain malicious instructions for the agent.\n - Ingestion points: Untrusted content enters the agent's context through the output of commands like
list,get, andcommentsinscripts/memos.sh, which retrieve data directly from the configured Memos instance.\n - Boundary markers: The script does not use any delimiters or protective instructions to warn the agent that the retrieved content is untrusted data and should not be executed as code or instructions.\n
- Capability inventory: The skill allows for network operations via
curland modification of data on the Memos server, providing an attack vector if the agent follows instructions embedded within memo content.\n - Sanitization: While the script uses
jqto ensure valid JSON formatting for outgoing payloads, it does not sanitize the text content retrieved from the API. Additionally, theupdateoperation's handling of the--pinnedflag (fields+=("\"pinned\":$2")) is vulnerable to JSON injection if the input is not strictly a boolean value, which could be used to manipulate other fields in the API request.
Audit Metadata