Deep Agents Memory & Filesystem
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill establishes an attack surface for indirect prompt injection through its file ingestion and memory retrieval features.
- Ingestion points: Untrusted data enters the agent's context via the
read_fileandgreptools, as well as via theStoreBackendwhen retrieving long-term memory (SKILL.md). - Boundary markers: The provided examples do not include delimiters or specific prompt instructions to distinguish retrieved data from system instructions.
- Capability inventory: The agent is equipped with high-impact tools such as
write_fileandedit_file, which could be abused if the agent obeys instructions hidden in read files. - Sanitization: The documentation explicitly recommends the use of
virtual_mode=Trueto restrict the agent to a specific root directory and prevent unauthorized access to the host filesystem. - [COMMAND_EXECUTION]: The skill provides the agent with capabilities to perform operations on the host or container filesystem.
- Evidence: The
FilesystemBackendallows the agent to execute file system operations like writing and editing files (SKILL.md). - Mitigation: The skill includes clear security guidance, advising against the use of local filesystem access in production web environments and recommending ephemeral backends or sandboxing.
Audit Metadata