engram-memory
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill employs strong imperative language and instructional persistence techniques—using terms like 'ALWAYS ACTIVE', 'MANDATORY', 'You MUST', and 'IMMEDIATELY and WITHOUT BEING ASKED'—to override the agent's default operational logic and enforce the memory protocol.\n- [PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface by instructing the agent to ingest and store data from external sources and session outcomes for future retrieval. This allows malicious instructions embedded in processed data to persist across sessions.\n
- Ingestion points: Architecture decisions, bug fix details, feature implementations, and artifacts from external platforms like Notion, Jira, and GitHub (SKILL.md).\n
- Boundary markers: None; the protocol lacks instructions for the agent to use delimiters or explicitly ignore instructions found within the stored memory content.\n
- Capability inventory: uses 'mem_save', 'mem_search', 'mem_get_observation', and 'mem_update' tools to persist and recall context (SKILL.md).\n
- Sanitization: None; session findings and technical discoveries are saved directly to the database without validation or filtering.\n- [DATA_EXFILTRATION]: The instructions mandate the proactive saving of 'configuration change or environment setup' and 'technical findings' to a persistent memory system. This creates a risk of sensitive system information, internal paths, or unintended metadata being exposed to the memory tool provider or database without manual review.
Audit Metadata