stash-ai-memory
Fail
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to clone a complete codebase from an external repository located at https://github.com/alash3al/stash.git.
- [REMOTE_CODE_EXECUTION]: Installation steps lead to the execution of code from the external repository via 'docker compose up' or by building and running a Go binary using 'go build -o stash ./cmd/stash'.
- [COMMAND_EXECUTION]: The skill requires the execution of multiple shell commands to set up the environment, build the application, and start the service (e.g., 'git clone', 'go build', './stash serve').
- [COMMAND_EXECUTION]: The instructions involve modifying configuration files for third-party applications, including Claude Desktop ('
/Library/Application Support/Claude/claude_desktop_config.json'), Cursor/Windsurf/Cline ('.cursor/mcp.json'), and Continue ('/.continue/config.json'). - [CREDENTIALS_UNSAFE]: The provided configuration examples and docker-compose.yml file contain hardcoded default database credentials ('stash:stash') in the connection string and environment variables.
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting and processing untrusted interaction data ('episodes') that is later recalled by the agent. This memory-based workflow lacks documented sanitization or boundary markers to prevent malicious data from influencing agent behavior.
- Ingestion points: Data stored via the 'stash_remember' tool or the '/api/episodes' endpoint.
- Boundary markers: None identified in the documentation or integration examples.
- Capability inventory: Execution of shell commands, Docker operations, and modification of application configuration files.
- Sanitization: No sanitization or validation protocols are described for the stored memory content.
Recommendations
- AI detected serious security threats
Audit Metadata