memex
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.check_outputinscripts/recall.pyto identify the current git commit SHA for versioning and diagnostics. This call uses a hardcoded command list (git rev-parse) which prevents shell injection and is used only for informational metadata purposes. - [DATA_EXPOSURE]: The skill intentionally accesses conversation history files located in
~/.claude/projects/and~/.codex/sessions/. This behavior is the primary purpose of the skill. The data is processed locally and stored in an indexed SQLite database at~/.memex.db. Analysis confirms there are no network operations or external data transfers, ensuring the data remains on the local machine. - [PRIVILEGE_ESCALATION]: The skill performs a security-hardening action by calling
os.chmodon its created database file with permissions0600(read/write only by the owner). This is a best-practice measure to protect the local index from other users on the system. - [INDIRECT_PROMPT_INJECTION]: The skill processes content from past conversation logs which may contain untrusted data.
- Ingestion points: Reads JSONL session files from the user's home directory in
scripts/recall.pyandscripts/read_session.py. - Boundary markers: Search results are delimited with numeric indices, timestamps, and metadata headers to separate them from the assistant's own response.
- Capability inventory: No dangerous runtime capabilities (like
execoreval) are applied to the processed text. Subprocess usage is limited to a static version-check command unrelated to the ingested data. - Sanitization: Text content is truncated to ensure output length is controlled. Resume commands generated for the user use
shlex.quotefor safe interpolation.
Audit Metadata