sanctuary-memory
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes several local Python scripts and CLI tools to manage its memory tiers, including
query_cache.py,distiller.py,swarm_run.py, andingest.py. It also utilizeschroma runto manage a local vector database and usessource ~/.zshrcto load the user's shell environment for credential access when running automation swarms. - [EXTERNAL_DOWNLOADS]: Interacts with remote services including HuggingFace, GitHub Copilot, and Google Gemini to facilitate data processing and persistence. These interactions are aligned with the skill's primary purpose of maintaining a synchronized memory stack.
- [DATA_EXFILTRATION]: Periodically synchronizes session traces, memory caches, and snapshots to an external repository on HuggingFace (
richfrem/Project_Sanctuary_Soul). This repository is owned by the skill's author and serves as the 'Soul' persistence layer. - [PROMPT_INJECTION]: As the skill ingests and processes data from external sources like Obsidian vaults, HuggingFace datasets, and various local project files, it is subject to indirect prompt injection risks where malicious instructions embedded in the data could influence agent behavior.
- Ingestion points: Obsidian vault files (
OBSIDIAN_VAULT_PATH), HuggingFace dataset (richfrem/Project_Sanctuary_Soul), and project-specific folders (LEARNING/topics/,ADRs/,01_PROTOCOLS/). - Boundary markers: None identified in the provided configuration.
- Capability inventory: Execution of local Python scripts, file read/write operations, network synchronization with HuggingFace, and interaction with LLM provider APIs.
- Sanitization: No explicit sanitization or filtering logic is described for the content being ingested into the memory tiers.
Audit Metadata