people-memories
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The Node.js extension automatically executes a local Python script whenever a specific pattern is detected in voice transcripts.
- Evidence: extensions/people-memories/index.js uses execFile to run python3 with arguments derived from user input.
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by ingesting and acting upon untrusted data from voice chat transcripts.
- Ingestion points: The voice-chat:transcript event listener in extensions/people-memories/index.js.
- Boundary markers: Absent. The skill does not use delimiters to separate untrusted note content.
- Capability inventory: Includes subprocess execution (execFile) and file system write operations (Path.write_text).
- Sanitization: Absent. The capture regex captures all remaining text and passes it directly to command-line arguments.
- [DATA_EXFILTRATION]: The skill provides functionality to write stored personal data to arbitrary locations on the local file system.
- Evidence: The export command in scripts/people_memory.py uses Path(out_path).write_text(out) where out_path is a user-provided argument.
Audit Metadata