perpetual-memory
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation suggests an implementation for agents to execute a bash command where tool outputs are interpolated into a string. The provided escaping logic only addresses double quotes and does not neutralize other shell-active characters such as backticks or subshells, creating a risk of command injection if the summarized tool data contains malicious payloads.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it automatically ingests and indexes data from tool outputs and interaction summaries. Malicious instructions embedded in the summarized content of tools (e.g., outputs from bash, web scrapers, or file reads) can be stored in the vector database and subsequently recalled, potentially causing the agent to follow adversarial instructions in a different context.
- Ingestion points: interaction text summaries, task update metadata, and bash command findings extracted after tool completion (SKILL.md).
- Boundary markers: None identified. The instructions do not define delimiters or contextual warnings to separate memory data from agent instructions.
- Capability inventory: The skill uses the
Bashtool to interface with theauto-embed.cjsutility for database operations (scripts/main.cjs). - Sanitization: There is an instruction to exclude secrets, but no systematic sanitization is applied to the content to prevent instructions from being misinterpreted by the LLM during retrieval.
Audit Metadata