agent-memory
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill utilizes shell commands (
mkdir,cat,rg,trash) with interpolated paths and filenames. - Evidence: Templates such as
mkdir -p .claude/skills/agent-memory/memories/category-name/andcat > ...filename.mdrely on the agent to provide safe, sanitized strings. If the agent uses direct user input without following the provided kebab-case guidelines, it could lead to directory traversal or command injection. - [PROMPT_INJECTION] (LOW): The skill creates an attack surface for indirect prompt injection by storing and later retrieving data.
- Ingestion points: Memory files stored in
.claude/skills/agent-memory/memories/are read back into the agent's context during search operations (rg) or file reading. - Boundary markers: Uses YAML frontmatter and Markdown headers, but lacks explicit instructions to the agent to disregard instructions found within the stored content.
- Capability inventory: The skill allows file writing, directory creation, searching, and deletion via shell commands.
- Sanitization: Guidelines recommend kebab-case for filenames, but there is no technical enforcement or validation of the content being stored.
- Risk: If the agent saves malicious instructions provided by a user or found during research, those instructions could influence the agent's behavior when the memory is recalled in a future session.
Audit Metadata