agent-memory
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill implements a pattern where external, untrusted content is automatically loaded into the LLM's context.
- Ingestion points: The skill explicitly reads from
AGENTS.mdin any repository root: "If this file exists, it will be added to your context automatically." - Boundary markers: There are no markers or delimiters defined to separate the untrusted
AGENTS.mdcontent from the system instructions. - Capability inventory: The skill is intended for use in environments where the agent manages repository structure and executes "Common commands (build, lint, test, etc.)". This creates a high-risk path where poisoned data in
AGENTS.mdcould trick the agent into executing malicious shell commands during a build or test phase. - Sanitization: No validation or sanitization is performed on the ingested content.
- Persistence Mechanisms (LOW): The skill aims to maintain state across sessions by writing to the file system. While this is the intended functionality, it allows the agent to modify the repository environment, which could be abused if the agent is already compromised via prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata