agent-memory
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes and stores untrusted external data (research findings, code snippets, user requests) into persistent memory files.
- Ingestion points: Files located in
.claude/skills/agent-memory/memories/. - Boundary markers: Absent. The agent reads raw markdown and YAML content without delimiters to distinguish between data and instructions.
- Capability inventory: Ability to execute shell commands (
rg,mkdir,cat,trash) and write files to the local system. - Sanitization: Absent. There is no evidence of filtering or escaping content before it is stored or processed.
- [Command Execution] (MEDIUM): The skill relies on shell commands for all memory management operations, creating a surface for command injection.
- Evidence: Shell snippets in
SKILL.mduse variables likecategory-name,filename, andkeywordwhich are derived from agent logic or user input. - Risk: A malicious input could trigger path traversal (e.g., using
../../) or command chaining (e.g., using;or&&) within the shell execution context.
Recommendations
- AI detected serious security threats
Audit Metadata