memory-integration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill implements a memory system that retrieves untrusted content from previous interactions and external summaries.
- Ingestion points: Data enters the agent context via
mcp__plugin_episodic-memory_episodic-memory__search,mcp__plugin_episodic-memory_episodic-memory__read, andmcp__memory__search_nodes. - Boundary markers: The skill lacks explicit instructions to treat retrieved memory as data rather than instructions, and does not use XML tags or delimiters to isolate memory content.
- Capability inventory: The skill is explicitly integrated with high-privilege modules like
issue-driven-development, which likely possesses file modification and command execution capabilities. - Sanitization: No sanitization or validation logic is present to filter executable instructions from memory data.
- Data Exposure (HIGH): The skill provides the agent with direct read access to highly sensitive local files containing conversation logs.
- Evidence: The tool
mcp__plugin_episodic-memory_episodic-memory__readspecifically targets paths like/path/to/conversation.jsonl, which contains the full history of decisions, problems, and potentially secrets from past sessions. - Metadata Poisoning (LOW): While the metadata is descriptive, the close integration with execution-heavy skills makes any instruction in the description or overview (like the 'Core Principle' section) highly influential on agent behavior.
Recommendations
- AI detected serious security threats
Audit Metadata