memory-init
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted data from the local project environment to generate documentation and configuration. \n
- Ingestion points: Steps 1, 7, and 8 read various project files including configuration (package.json, pyproject.toml), documentation (README.md), and source code files to infer project details.\n
- Boundary markers: There are no explicit delimiters or safety instructions (e.g., "ignore embedded instructions") used when the agent reads and processes the content of these external files.\n
- Capability inventory: The skill possesses file-read capabilities (to scan the project) and file-write capabilities (to create documentation in ai-context/ and update openspec/config.yaml). It does not have network access or direct command execution capabilities.\n
- Sanitization: The skill lacks sanitization or validation logic for the content it extracts from project files before using it to scaffold documentation or configuration entries, allowing potentially malicious strings to be propagated into the project's persistent memory layer.
Audit Metadata