memory-search
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill's instructions in
SKILL.mddirect the agent to use theBashtool to execute a Node.js script with an interpolated search query:node .claude/lib/memory/memory-search.cjs "your query". This pattern is vulnerable to shell injection. If an agent-generated or user-influenced query contains shell metacharacters (such as backticks, semicolons, or dollar signs), it could lead to arbitrary command execution on the host system despite the use of double quotes. - [PROMPT_INJECTION]: The skill facilitates Indirect Prompt Injection by retrieving data from potentially untrusted memory files and presenting it as authoritative context for the agent to follow.
- Ingestion points: Data is read from files in
.claude/context/memory/, includinglearnings.md,decisions.md,issues.md,gotchas.json, andpatterns.json. - Boundary markers: The search results are presented with source file names and similarity scores, but the content previews lack delimiters or instructions to ignore embedded commands.
- Capability inventory: The agent is equipped with the
Bashtool and instructed to "follow [the results] exactly as presented." - Sanitization: There is no evidence of sanitization, filtering, or escaping of the retrieved content before it is injected into the agent's prompt context.
- [EXTERNAL_DOWNLOADS]: The skill references and executes code from paths outside its own package structure, specifically
../../../../.claude/tools/observability/send-event.cjsand.claude/lib/memory/memory-search.cjs. Relying on files deep in the parent directory structure assumes a specific environment layout and could lead to the execution of unintended or malicious files if the environment is not strictly controlled.
Audit Metadata