memex-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill documentation (references/output-formats.md) explicitly describes support for
tool.callevents, which can execute arbitrary shell commands likebashwithpytest tests/. This allows for direct command execution on the host machine. - [REMOTE_CODE_EXECUTION] (HIGH): The tool is designed to generate source code and then potentially execute it via shell tools. Furthermore, the instructions recommend installing an external package (
npm install -g memex-cli) from a non-specified registry, which represents a supply chain risk. - [DATA_EXFILTRATION] (HIGH): The
files:parameter supports recursive glob patterns (e.g.,src/**/*.py) to load entire directory structures into the AI context. This data is then transmitted to external AI backends (Codex, Claude, Gemini), creating a high-risk vector for the exfiltration of sensitive source code or credentials. - [PROMPT_INJECTION] (MEDIUM): The skill takes natural language prompts in the
---CONTENT---block. While intended for task instructions, this block could be used to deliver malicious commands that override agent behavior or manipulate the underlying file system. - [INDIRECT_PROMPT_INJECTION] (HIGH): Category 8 analysis: The skill ingests untrusted data via the
files:parameter (Ingestion Point). It lacks explicit sanitization or strict boundary markers to prevent embedded instructions in those files from being executed (Sanitization/Boundaries). Given its high Capability Inventory (file read/write, shell execution), malicious code in a 'reviewed' file could trigger unauthorized side effects.
Recommendations
- AI detected serious security threats
Audit Metadata