cass-memory
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is to ingest 'rules' and 'history snippets' from the
cm contextcommand to guide the agent's approach. This content is treated as authoritative, creating a vector where malicious instructions previously recorded in the 'playbook' can persist and override agent safety guidelines or behavior in future sessions. - Evidence Ingestion:
cm context "Description"output (SKILL.md). - Capability Inventory: CLI execution and task fulfillment based on retrieved context.
- Missing Boundary Markers: There are no instructions for the agent to treat the retrieved context as untrusted data or to use delimiters to separate rules from instructions.
- [Command Execution] (HIGH): Several commands interpolate free-form natural language into shell executions (e.g.,
cm context "[task]",cm playbook add "[rule]"). Without strict sanitization, this provides a direct path for command injection via shell metacharacters like semicolons, backticks, or pipes. - [External Downloads] (MEDIUM): The skill depends on a
cmCLI tool which is described as 'part of the cass-memory system' but lacks a verifiable source, installation script, or checksum. This represents a supply-chain risk where the agent might be prompted to install an untrusted binary.
Recommendations
- AI detected serious security threats
Audit Metadata