memos
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The
SKILL.mdfile uses coercive language to override agent decision-making regarding tool use. It includes headers like '⚠️ MANDATORY SKILL INVOCATION ⚠️' and explicitly states that 'Failure to invoke this skill when triggers occur violates your operational requirements', which is a pattern designed to bypass the agent's natural selection of tools. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from an external Memos instance.
- Ingestion points: Data enters the agent's context through
scripts/memo-api.sh(list, get commands) andscripts/search-api.sh(search results). - Boundary markers: There are no boundary markers or 'ignore embedded instructions' warnings provided when presenting memo content to the agent.
- Capability inventory: The skill possesses the ability to execute shell commands (
bash), make network requests (curl), and write files to the local system (scripts/resource-api.sh download). - Sanitization: While the scripts use
jqfor safe JSON construction when sending data to the API, they do not sanitize or filter the content retrieved from the Memos instance before it is processed by the agent. - [COMMAND_EXECUTION]: The skill operates by executing a suite of local bash scripts (
scripts/memo-api.sh,scripts/resource-api.sh,scripts/search-api.sh,scripts/tag-api.sh,scripts/user-api.sh). These scripts perform operations using subprocesses includingcurl,jq,sed, andbase64. - [DATA_EXFILTRATION]: The
scripts/resource-api.shfile includes adownloadcommand that allows writing data from the remote server to a local path specified by the agent. If an attacker-controlled memo includes a file with malicious instructions, they might attempt to trick the agent into overwriting sensitive local configuration files.
Audit Metadata