Skills
skills/dicklesworthstone/cass_memory_system/cm/Gen Agent Trust Hub

cm

Fail

Audited by Gen Agent Trust Hub on Apr 6, 2026

Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The AGENTS.md file includes a 'RULE 0' that acts as a behavioral override, instructing the agent to prioritize direct user commands over the established guidelines in the document ('I AM IN CHARGE, NOT YOU'), matching patterns used to bypass local constraints.
  • [REMOTE_CODE_EXECUTION]: Installation instructions in README.md and SKILL.md utilize curl | bash patterns to execute scripts from the official Bun website (https://bun.sh/install) and the author's GitHub repository. While these are vendor-provided or well-known sources, the pattern remains a high-privilege execution vector.
  • [COMMAND_EXECUTION]: The skill's implementation in src/cass.ts and various command modules utilizes shell command execution via spawnSync and execFile to interact with the local cass search tool and execute commands on remote hosts via ssh for cross-agent memory sharing.
  • [DATA_EXFILTRATION]: Associated with its primary purpose of session reflection, the skill extracts content from local agent session logs and transmits it to external LLM provider APIs (Anthropic, OpenAI, Google) for analysis. While a sanitization layer in src/sanitize.ts is implemented to redact common secrets (API keys, tokens, etc.), the processing of raw transcripts constitutes an inherent data privacy risk.
  • [PROMPT_INJECTION]: The system presents an indirect prompt injection surface as it ingests untrusted transcript data from .jsonl and .md session logs. These logs are processed by LLMs during the 'Reflector' and 'Validator' phases to derive new rules, which could allow instructions embedded in the transcripts to influence the generated playbook.
  • Ingestion points: Raw transcript data is ingested via src/diary.ts and src/cass.ts (export function).
  • Boundary markers: Data is processed within structured JSON/Markdown formats, though the prompt templates in src/llm.ts do not show explicit delimiters designed to neutralize instruction-like text within the transcripts.
  • Capability inventory: The skill possesses the capability to write to the filesystem, execute shell commands, and perform network operations via ssh and LLM APIs.
  • Sanitization: A comprehensive sanitization module in src/sanitize.ts automatically redacts sensitive patterns (AWS keys, GitHub tokens, JWTs, etc.) before they are transmitted to external providers.
Recommendations
  • HIGH: Downloads and executes remote code from: https://bun.sh/install, https://raw.githubusercontent.com/Dicklesworthstone/cass_memory_system/main/install.sh, https://raw.githubusercontent.com/${OWNER}/${REPO}/main/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 6, 2026, 07:14 AM