remember
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill creates a surface for persistent indirect prompt injection by transforming untrusted chat content into future instructions.
- Ingestion points: The skill ingests
lesson contentdirectly from user commands and analyzes the current chat session context to extract patterns. - Boundary markers: Absent. There are no delimiters or instructions to treat the ingested data as untrusted, increasing the risk that embedded malicious commands are interpreted as legitimate instruction updates.
- Capability inventory: The skill possesses the capability to write and update markdown files in directories specifically designated for agent instructions (
.github/instructions/andvscode-userdata:/User/prompts/). - Sanitization: Absent. The process lacks validation or filtering to ensure that the content being 'remembered' does not contain instructions to bypass safety filters or exfiltrate data in future sessions.
- [COMMAND_EXECUTION]: The skill directs the agent to perform extensive file system operations to manage its memory database.
- Evidence: The instructions require the agent to use glob patterns to discover files across the workspace and user data directories, and to perform write operations to modify the agent's own configuration and instruction set.
Audit Metadata