persona-memory
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface where content from local memory blocks (~/.ai-memory/blocks/*.md) is retrieved and appended to the agent's system prompt at runtime. • Ingestion points: Untrusted data enters the agent context through the remember.ts script. • Boundary markers: The launch-claude.sh script uses triple-dash delimiters (---) to separate the persona profile from the memory context. • Capability inventory: The skill can execute the agent binary and manage local memory files. • Sanitization: No sanitization of the retrieved memory strings is performed before they are interpolated into the system prompt.
- [EXTERNAL_DOWNLOADS]: The evaluation dashboard references font assets from trusted Google domains (fonts.googleapis.com, fonts.gstatic.com).
- [DATA_EXFILTRATION]: The serve-eval-dashboard.ts script accesses local shell configuration files (~/.zprofile, ~/.env) to retrieve the ANTHROPIC_API_KEY for use with the official Anthropic API during testing. This sensitive file access is part of the intended developer convenience for the skill's evaluation dashboard.
Audit Metadata