remembering-conversations
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill employs forceful, overriding language in its metadata and body ("ALWAYS USE THIS SKILL WHEN STARTING ANY KIND OF WORK, NO MATTER HOW TRIVIAL", "YOU MUST dispatch the search-conversations agent"). These instructions are designed to hijack the agent's decision-making process and force the execution of this specific routine regardless of the user's actual request.
- [INDIRECT_PROMPT_INJECTION] (HIGH): This skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted data enters the context via the
search-conversationssubagent, which pulls content from theepisodic-memoryMCP tools. - Boundary markers: There are no delimiters or instructions to ignore embedded commands within the retrieved historical data.
- Capability inventory: The skill synthesizes historical findings into "actionable insights" that direct the agent's next steps, meaning a malicious instruction stored in a past conversation could gain control over the current session.
- Sanitization: No sanitization or validation of the retrieved content is performed before it is processed by the agent.
- [DATA_EXPOSURE] (MEDIUM): The skill facilitates the automated retrieval of "all past conversations and projects." If previous sessions involved sensitive data, credentials, or PII, this skill provides a direct mechanism to bring that sensitive data back into the active context where it could be exfiltrated if the agent is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata