mem-search
Warn
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to retrieve and process historical data (observations and prompts) from a memory database. This content is then used to provide context to the AI agent. If the stored data contains malicious instructions from an untrusted source encountered in a previous session, the agent might follow those instructions during retrieval.
- Ingestion points: Data entering the context via the
get_observationstool inSKILL.md. - Boundary markers: The skill lacks specific delimiters or warnings to treat historical data as untrusted or to ignore instructions embedded within it.
- Capability inventory: The agent has the ability to search, filter, and fetch data, and it can interact with the project environment.
- Sanitization: No evidence of validation or sanitization of the retrieved memory records.
- [COMMAND_EXECUTION]: The skill documentation includes a section on 'User-Installable Grammars' using a
.claude-mem.jsonconfiguration file. This configuration allows specifying a Node.js package name that is dynamically loaded to provide AST parsing for new languages. - Evidence: The skill explicitly mentions that custom grammars can be added by specifying a
packagename, such astree-sitter-gleam, which must be installed and is then loaded by the tool. - Risk: Dynamically loading packages based on a configuration file allows for the execution of arbitrary code if an attacker can influence the contents of the
.claude-mem.jsonfile or the available packages in the environment.
Audit Metadata