initializing-memory
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) due to the way it ingests and processes external data.
- Ingestion points: The skill reads various project files (e.g.,
README.md,package.json), git logs, and local application history files (~/.claude/history.jsonl,~/.codex/history.jsonl). - Boundary markers: There are no instructions to use delimiters or to treat ingested content as data rather than instructions; the agent is simply told to "analyze" and "cross-reference" the findings.
- Capability inventory: The skill utilizes powerful tools including shell command execution (
bash,git), filesystem manipulation (mkdir,mv), and the ability to spawn parallel subagents (Tasktool). - Sanitization: No sanitization, escaping, or filtering is performed on the data read from external sources before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill's primary functionality relies on executing a variety of shell commands to manage the memory filesystem.
- Evidence: The instructions direct the agent to use
mkdir -p,mv,ls,wc,split, andgit(merge, push, worktree) to organize files within the~/.letta/directory. - Note: While these commands are consistent with the skill's stated purpose of memory management, the combination of shell access and untrusted data ingestion increases the overall risk surface.
Audit Metadata