session-memory
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill demonstrates a high-severity vulnerability by ingesting untrusted external data into a high-capability environment.
- Ingestion points: The
mcp__goldfish__recalltool (referenced inSKILL.md) retrieves data from a persistent store including checkpoints, active plans, and work summaries. - Boundary markers: Absent. There are no delimiters or instructions provided to the agent to treat recalled content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill allows
BashandReadtools, providing a path for arbitrary command execution and file access. - Sanitization: Absent. There is no validation or filtering of the recalled data before it is presented to the agent or used to inform next steps.
- [Prompt Injection] (HIGH): The instructions contain multiple directives aimed at overriding the agent's default safety behavior and user-interaction protocols. Phrases like 'DO NOT ask permission', 'Just use it', 'MANDATORY', and 'Don't ask' are used to ensure the agent executes tools without the user's explicit consent.
- [Privilege Escalation] (MEDIUM): The skill attempts to escalate its operational priority by instructing the agent to perform actions 'automatically' and 'before the user notices,' which bypasses the standard human-in-the-loop requirement for sensitive tool operations like Bash.
Recommendations
- AI detected serious security threats
Audit Metadata