total-recall
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill maintains an indirect prompt injection surface by autonomously summarizing untrusted conversation transcripts into long-term memory.\n
- Ingestion points:
scripts/observer-agent.shreads session JSONL logs from the agent sessions directory.\n - Boundary markers: The skill does not use specific boundary markers or instructions to ignore embedded commands when processing conversation text.\n
- Capability inventory: The skill has file system access (memory/, logs/) and network access via
curl.\n - Sanitization: No sanitization is performed on conversation text before it is sent to the LLM for summarization.\n- [COMMAND_EXECUTION]: The
scripts/dream-cycle.shscript executes an inline Python script using a heredoc to calculate importance decay for stored observations.\n- [COMMAND_EXECUTION]: Multiple scripts use theevalcommand to load configuration variables from a local.envfile, though usage is restricted to specific keys via regex.
Audit Metadata