memos-skill
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill is architected to store sensitive Memos
access_tokencredentials in a plain-textconfig.jsonfile within the skill directory. While the distributedconfig.jsonuses placeholders, the instructions inSKILL.md(Scenario 5) explicitly direct the agent to write live user-provided tokens to this file using Python script execution. This practices exposes secrets to any process or user with read access to the skill's directory. - [DYNAMIC_EXECUTION]: The skill includes Python code snippets for runtime file management, specifically writing configuration data to
config.json. This capability for self-modification of configuration files could be potentially leveraged to manipulate agent settings if the agent's logic is subverted through other means. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection due to its core functionality of retrieving and processing external content.
- Ingestion points: The agent retrieves untrusted content from the Memos API via
GET /api/v1/memos,GET /api/v1/memos/{memo}, andGET /api/v1/memos/{memo}/commentsas described inSKILL.mdandreferences/api-reference.md. - Boundary markers: There are no explicit boundary markers or instructions to the agent to disregard instructions embedded within the retrieved memo content.
- Capability inventory: The skill has the capability to perform arbitrary network requests and write to the filesystem (for configuration management).
- Sanitization: No sanitization, validation, or escaping of the retrieved memo or comment data is performed before the data is integrated into the agent's context.
Audit Metadata