recall
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill directly interpolates user-supplied input from the
$ARGUMENTSvariable into the prompt. This creates a vulnerability where a user can provide a search query designed to override the agent's instructions or bypass safety guidelines. - [DATA_EXFILTRATION]: The skill provides access to sensitive historical data, including past observations, session details, and learnings stored in the
agentmemorysystem. While this is the skill's intended purpose, it facilitates the retrieval of potentially private or confidential information from previous interactions. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by retrieving and processing data from a persistent storage mechanism that may contain untrusted content.
- Ingestion points: Content is retrieved from the
agentmemoryMCP server using thememory_smart_searchtool, which returns narratives and observations. - Boundary markers: The instructions do not define any boundary markers (such as XML tags or delimiters) or provide warnings to the agent to ignore instructions embedded within the retrieved memory data.
- Capability inventory: The skill uses the
memory_smart_searchtool and requires an active MCP server connection. - Sanitization: No sanitization or filtering of the retrieved observations is performed before they are presented to the model context.
Audit Metadata