hippocampus-memory
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points:
scripts/preprocess.shreads raw conversation transcripts from~/.openclaw/agents/$AGENT_ID/sessions/*.jsonlwhich contain untrusted user input. - Boundary markers: Absent. In
scripts/summarize-pending.sh, signals are passed to the sub-agent for summarization using simple numeric labels (e.g.,[1],[2]) without unique random delimiters or XML-style tags to prevent the LLM from confusing signal content with instructions. - Capability inventory: The sub-agent (via
summarize-pending.shandagents/hippocampus-agent.md) has the capability to write to thememory/index.jsonfile and potentially manipulate the agent's long-term memory state. - Sanitization:
scripts/preprocess.shperforms regex-based cleaning, removing control characters, specific tags (like<file>), and non-ASCII sequences, which provides some mitigation against simple injection attempts. - COMMAND_EXECUTION (SAFE): The skill executes multiple local Bash and Python scripts to manage its memory lifecycle.
- Evidence:
install.shcorrectly useschmod +xon its own scripts and initializes data files using heredocs with quoted delimiters (e.g.,'EOF') to prevent shell injection during installation. - DATA_EXFILTRATION (SAFE): While the skill processes sensitive conversation history, it does so entirely within the local
$WORKSPACE. No network operations or unauthorized data transmissions were detected in the provided scripts.
Audit Metadata