hindsight-self-hosted
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- Remote Code Execution (CRITICAL): The skill instructs users to install its CLI using
curl -fsSL https://hindsight.vectorize.io/get-cli | bash. This allows an untrusted third-party server to execute arbitrary code on the host system. vectorize.io is not on the trusted sources list. - Indirect Prompt Injection (HIGH): The skill retrieves 'memories' from a shared server and uses them to influence the agent's behavior.
- Ingestion points: Data is pulled from the Hindsight server via the
recallandreflectcommands (SKILL.md). - Boundary markers: There are no markers or instructions to treat recalled content as untrusted data.
- Capability inventory: The agent uses this data to 'suggest tools, libraries, or approaches' and 'write code', creating a path for malicious instructions in memories to become executable code (SKILL.md).
- Sanitization: No sanitization of the memory content is performed before it enters the agent's context.
- Credentials Unsafe (HIGH): The skill instructs the agent to create and store an API key in plain text in
~/.hindsight/config. This exposes sensitive credentials in a predictable location on the file system. - External Downloads (MEDIUM): The skill downloads and executes a script from
vectorize.io, which is not a trusted source per the [TRUST-SCOPE-RULE].
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://hindsight.vectorize.io/get-cli - DO NOT USE
- AI detected serious security threats
Audit Metadata