auto-dream
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to run local maintenance commands, includingsqlite3for querying the session database (learning.db) andgitfor analyzing repository commit history. These operations are restricted to read-only metadata retrieval to determine memory relevance. - [COMMAND_EXECUTION]: The skill facilitates persistent background execution by instructing the agent to register a cron job via a local utility (
crontab-manager.py). This job automates the memory maintenance cycle through a wrapper script, which is documented as the skill's primary intended behavior. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests and synthesizes memory files generated from previous user interactions. \n
- Ingestion points: Reads project memory files from
${DREAM_MEMORY_DIR}and session data from${DREAM_LEARNING_DB}. \n - Boundary markers: The final injection-ready payload is wrapped in a
<retro-knowledge>block with instructional delimiters to guide the agent's interpretation of the data. \n - Capability inventory: Employs
Read,Write,Edit, andBashtools to manage the file lifecycle and repository metadata. \n - Sanitization: The skill relies on logic-level safety constraints defined in the prompt (e.g., 'Never delete files', 'Flag conflicts', and 'Archive only') rather than explicit string sanitization.
Audit Metadata