AgentDB Memory Patterns
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill frequently uses 'npx agentdb@latest' to fetch code from the npm registry. Neither the 'agentdb' package nor the 'ruvnet' author are listed as trusted sources, posing a supply chain risk.
- REMOTE_CODE_EXECUTION (HIGH): Commands like 'npx agentdb@latest mcp' and 'npx agentdb@latest create-plugin' facilitate the execution of remotely fetched code. Using the '@latest' tag is particularly dangerous as it permits the execution of the most recent, potentially unvetted code versions.
- COMMAND_EXECUTION (MEDIUM): The skill exposes various CLI operations to the agent, including database initialization, querying, and performance benchmarking, which provide broad access to system resources.
- PROMPT_INJECTION (LOW): (Category 8) Potential for Indirect Prompt Injection. 1. Ingestion points: 'adapter.insertPattern' and 'db.storeMemory' (SKILL.md) allow storing arbitrary conversation data. 2. Boundary markers: Absent in the provided examples. 3. Capability inventory: File system writes via 'export' and code generation via 'create-plugin'. 4. Sanitization: No sanitization or validation of the stored content is shown.
- OBFUSCATION (MEDIUM): Several paths and URLs use '$' as a delimiter (e.g., 'agentic-flow$reasoningbank', 'github.com$ruvnet'), which is a non-standard pattern that can be used to evade simple string-based security scanners.
Recommendations
- AI detected serious security threats
Audit Metadata