The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The README and installation scripts (e.g., install.sh) promote a high-risk pattern where a remote shell script is downloaded from an untrusted GitHub account (BluePointDigital) and piped directly to bash. This allows for the execution of unverified and potentially malicious code on the host system during setup.
[COMMAND_EXECUTION]: The memory.js and smart_memory.js files utilize execSync and child_process to manage memory indexing and searching operations. While the skill attempts to wrap arguments with JSON.stringify to mitigate injection, the programmatic execution of shell commands based on runtime input remains a significant attack surface.
[EXTERNAL_DOWNLOADS]: The skill performs several external downloads, including fetching the all-MiniLM-L6-v2 embedding model (approximately 80MB) from HuggingFace via Transformers.js. It also attempts to dynamically load the sqlite-vec extension from various local and system-defined paths, which could be exploited if an attacker can write files to those locations.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core function of ingesting and synthesizing external data.
Ingestion points: Processes user queries through memory_search and reads data from MEMORY.md and various files within the memory/ directory.
Boundary markers: There are no explicit delimiters or instruction-bypass warnings used when retrieved content is interpolated into the agent's context during 'Focus Mode' synthesis.
Capability inventory: The skill possesses extensive capabilities, including shell command execution (execSync) and local file system access (read/write).
Sanitization: The codebase implements path traversal defenses using path.resolve and workspace prefix validation in memory.js, and it sanitizes FTS5 search queries to prevent SQL-related issues.

smart-memory