hippocampus
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Several scripts in the skill are vulnerable to command injection via unsafe string interpolation in Python code blocks.\n
- Evidence: In
scripts/recall.sh, the$QUERYvariable is directly concatenated into a Python source string:QUERY = \"$QUERY\".lower(). A maliciously crafted query could escape the string and execute arbitrary Python code. A similar pattern exists inscripts/reinforce.shusing the$MEM_IDvariable.\n - Impact: This allows for arbitrary code execution within the agent's environment if the agent or a user provides a specially crafted input string.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted session data.\n
- Ingestion points: Conversation logs are extracted by
preprocess.shand stored in~/.openclaw/workspace/memory/signals.jsonl.\n - Boundary markers: The instructions for the Hippocampus Agent in
agentdir/AGENTS.mdandagents/hippocampus-agent.mdfail to use delimiters or unique markers to separate the processing instructions from the raw message data.\n - Capability inventory: The Hippocampus Agent has the permission to modify the central memory store
~/.openclaw/workspace/memory/index.jsonusing file write operations.\n - Sanitization: There is no evidence of sanitization, filtering, or validation of user-provided content before it is presented to the LLM for memory classification.
Recommendations
- AI detected serious security threats
Audit Metadata