triple-memory
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill establishes a high-risk surface for indirect prompt injection by automatically ingesting untrusted data from both workspace files and conversation history. \n
- Ingestion points:
SKILL.md(LanceDB auto-recall) andscripts/file-search.sh(workspace file search).\n - Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in retrieved memory.\n
- Capability inventory: The skill has the capability to execute shell commands (
clawdbot) and Python scripts (memory.py) which are influenced by this untrusted context.\n - Sanitization: Absent. No filtering or escaping of retrieved content is performed before injection into the agent's context.\n- Data Exposure (MEDIUM): The
scripts/file-search.shscript redirects search results to/tmp/clawdbot-filesearch.txt. Since/tmpis a world-readable directory on many multi-user systems, sensitive information retrieved from the agent's memory could be exposed to other local users.\n- External Downloads (MEDIUM): The skill instructs the user to install dependencies fromclawdhub(clawdhub install git-notes-memory), which is an unverified external registry. This introduces third-party dependency risk as the downloaded code is executed locally via Python.
Recommendations
- AI detected serious security threats
Audit Metadata