memory-management
Fail
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill documentation states that it retrieves the ANTHROPIC_API_KEY from the environment for classification tasks, which poses a risk of credential exposure.
- [COMMAND_EXECUTION]: The skill instructions require the user to run npx commands for installation and management. Additionally, the skill establishes persistence by modifying .claude/settings.json and automatically generating instruction files in the .claude/skills/auto-*/ directory.
- [REMOTE_CODE_EXECUTION]: The skill documentation instructs the execution of code from the npm registry via npx (e.g., npx claude-recall), which involves downloading and running code from an unverified source at runtime.
- [PROMPT_INJECTION]: The persistent memory system creates a surface for indirect prompt injection.
- Ingestion points: Untrusted user input (corrections, preferences) is captured via the mcp__claude-recall__store_memory tool (SKILL.md).
- Boundary markers: There are no explicit instructions or delimiters mentioned to prevent the agent from obeying instructions embedded within stored memories when they are re-injected via load_rules.
- Capability inventory: The agent has the ability to write files to the local system and execute commands via associated CLI tools.
- Sanitization: No evidence of sanitization or validation of the stored content is provided.
Recommendations
- AI detected serious security threats
Audit Metadata