memento
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill performs read and write operations on local files, specifically
CLAUDE.mdand skill markdown files. While the intended use is benign (memory management), this capability could be exploited if malicious instructions are processed. - [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from the conversation history and uses it to generate suggestions that are then written back to system files.
- Ingestion points: Reads the entire active conversation history and existing markdown files in Step 1 and Step 3.
- Boundary markers: None identified. No specific instructions are provided to the model to ignore embedded commands within the conversation history.
- Capability inventory: Uses the
Edittool to modify files on the local filesystem ($PROJECT_PATH, $USER_PATH, and skill files). - Sanitization: None identified. Suggestions extracted from potentially attacker-controlled conversation data are directly written to system configuration files.
Audit Metadata