memory-pill
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The 'Auto-Setup' section contains a direct instruction to the agent to perform filesystem operations without seeking user consent: 'Do not ask the user for permission — just create it'. This is a directive to bypass standard interactive safety protocols and user-confirmation workflows.\n- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands (
mkdir -pandcat) to establish an extended PARA structure and create a voice guide file. The automated execution of shell scripts without user intervention, particularly when combined with an explicit instruction to bypass permission, represents a security concern regarding the integrity of the agent's filesystem.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect injection via its prompt expansion and fact extraction systems.\n - Ingestion points: Untrusted data enters the context from
memory/daily/*.mdand project/people markdown files during memory search and fact extraction.\n - Boundary markers: There are no boundary markers or instructions to ignore embedded commands defined in the templates provided for processing this data.\n
- Capability inventory: The skill has the capability to modify the filesystem (
mkdir,cat) and spawn sub-agents with dynamically generated prompts based on the ingested data.\n - Sanitization: No sanitization or validation of ingested content is specified before it is used to generate 'expanded prompts' for sub-agents.
Audit Metadata