claude-cookbooks
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The contribution guide in
references/CONTRIBUTING.mdprovides a command to install theuvpackage manager via a shell script fromastral.sh, which is a well-known service for Python developer tooling. - [COMMAND_EXECUTION]: The
scripts/memory_tool.pyscript enables the agent to perform file-based operations including viewing, creating, and modifying files in a persistent memory directory. The script uses robust path validation logic to ensure that file operations are restricted to the/memoriesdirectory, mitigating the risk of directory traversal attacks. - [PROMPT_INJECTION]: The memory tool introduces an indirect prompt injection surface as it allows the agent to ingest and act upon data stored in local files.
- Ingestion points: The
_viewmethod inscripts/memory_tool.pyreads file contents into the agent's context. - Boundary markers: The implementation does not provide explicit boundary markers to distinguish memory content from system instructions.
- Capability inventory: The tool includes capabilities for file creation, replacement, insertion, and deletion within
scripts/memory_tool.py. - Sanitization: While the tool enforces directory boundaries for security, it does not sanitize or validate the content of the memory files for embedded instructions.
Audit Metadata