slack-memory-store
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates a persistent storage for untrusted data, which is a major vector for indirect prompt injection attacks. Ingestion points: Processes content from Slack messages, Confluence documents, Email threads, and News articles as defined in 'references/classification-guide.md'. Boundary markers: While YAML frontmatter is used for metadata, there are no robust delimiters or 'ignore' instructions for the body content to prevent embedded commands from influencing the agent. Capability inventory: The skill possesses file-system write capabilities through 'scripts/init_memory.py' and 'scripts/update_index.py', allowing it to persist potentially malicious data. Sanitization: The implementation scripts ('scripts/search_memory.py', etc.) do not include any logic to sanitize or escape the content being processed and stored.
- Data Exposure (LOW): The skill is designed to centralize sensitive PII and organizational data (User Profiles, Decision History). While this is the intended purpose, it creates a high-value target for attackers without explicit access controls mentioned in the scripts.
Recommendations
- AI detected serious security threats
Audit Metadata