Skills
skills/nangongwentian-fe/agent-skills/persistent-memory/Gen Agent Trust Hub

persistent-memory

Pass

Audited by Gen Agent Trust Hub on Feb 28, 2026

Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies on the agent's ability to execute shell commands to manage its file-based memory system.
  • Evidence: The skill provides instructions for the agent to use mkdir, cat, grep, ls, and tar for initialization, searching, and maintenance of the memory directory (e.g., references/commands.md, references/setup.md).
  • Evidence: It uses git and the GitHub CLI (gh) for version control and remote synchronization (e.g., references/sync.md).
  • [CREDENTIALS_UNSAFE]: The synchronization instructions suggest practices that may lead to local credential exposure.
  • Evidence: In references/sync.md, the documentation provides a git clone example that includes a GitHub personal access token in the URL (git clone https://ghp_xxx@github.com/...). This results in the token being stored in plain text in the .git/config file of the repository.
  • [DATA_EXFILTRATION]: The skill is explicitly designed to move local data to an external service for synchronization.
  • Evidence: Detailed instructions in references/sync.md guide the agent to push the contents of the memory folder (including project logic, user identity details, and logs) to a GitHub repository. Although GitHub is a well-known service, users should be aware that their session history and metadata are being transferred externally.
  • [PROMPT_INJECTION]: The skill architecture is vulnerable to Indirect Prompt Injection (Category 8).
  • Ingestion points: The agent is instructed to read INDEX.md, MEMORY.md, and SOUL.md at the beginning of every session to establish context (SKILL.md, references/adapters/overview.md).
  • Boundary markers: The skill lacks explicit markers or instructions telling the agent to treat the retrieved memory as data rather than instructions, nor does it provide warnings to ignore embedded commands.
  • Capability inventory: Agents implementing this skill typically have high-privilege capabilities including shell access, file system modification, and network access via CLI tools.
  • Sanitization: There is no process to sanitize or validate the content of the memory files before they are injected into the agent's prompt context.
  • Risk: If an attacker can trick a user into "remembering" a snippet of code or text containing malicious instructions, those instructions will persist in the memory system and be executed or obeyed by the agent in future sessions.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 28, 2026, 12:48 PM