memory
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions (Step 3) explicitly direct the agent to "Apply memories silently" and "Incorporate remembered preferences into responses and tool usage without announcing them." This instruction suppresses transparency, making it difficult for users to detect if the agent's behavior is being influenced by malicious or corrupted data.
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection as it ingests untrusted data from a local file and uses it to steer agent behavior.
- Ingestion points: Reads project memories from
.claude/memories/project_memory.jsonas described inSKILL.mdandreferences/implementation.md. - Boundary markers: None identified. The agent is instructed to parse and apply the JSON content directly without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill utilizes
ReadandWritetools for file management and includes a Python script (scripts/manage-memory.py) for administrative tasks. - Sanitization: No validation or sanitization of the memory content is performed before it is loaded into the agent's context.
- [COMMAND_EXECUTION]: The skill provides a Python script
scripts/manage-memory.pywhich performs file system operations (read/write/directory creation) to manage the memory storage. While the script itself is straightforward, it represents an additional execution vector in the local environment.
Audit Metadata