skill-system-memory
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill manages database credentials by prompting the user and storing them in the standard PostgreSQL password file (.pgpass on Linux/macOS or pgpass.conf on Windows) using the scripts setup-pgpass.sh and setup-pgpass.ps1.\n- [COMMAND_EXECUTION]: Various scripts execute shell commands for system maintenance and setup. The bootstrap and setup-pgvector scripts use winget to install software and nmake to compile the pgvector extension from source code.\n- [EXTERNAL_DOWNLOADS]: The skill downloads the pgvector source code from the official GitHub repository and makes network requests to OpenAI or local Ollama endpoints to generate embeddings for stored memories.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface through its OpenCode plugin, which automatically retrieves stored content from the database and injects it into the agent's context during compaction operations.\n
- Ingestion points: Data is stored in the agent_memories table via the store_memory function (init.sql) and retrieved in the plugin/skill-system-memory.js file.\n
- Boundary markers: Retrieved memories are injected into the agent's context without the use of specific boundary markers or delimiters to isolate untrusted content.\n
- Capability inventory: The skill is capable of performing database read/write operations (init.sql), executing shell commands via psql (mem.sh), and making network requests (ingest-embeddings.sh).\n
- Sanitization: The skill implements SQL escaping to prevent database injection, but it does not sanitize the text content before it is injected into the prompt context.
Audit Metadata