memories-mcp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs agents to call get_context / search_memories against a cloud MCP endpoint (e.g., https://memories.sh/api/mcp) and to consume streamed SSE artifacts (start_memory_stream / append_memory_chunk / finalize) that return user-created "memories" and rules which the agent is required to read and which can change decisions and behavior, so it exposes the agent to untrusted third‑party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill documents a runtime cloud MCP endpoint (https://memories.sh/api/mcp) which is used by agents to fetch "rules" and memories that directly influence agent instructions (and the recommended client setup also runs remote code via npx -y @memories.sh/cli which will fetch and execute a remote package), so the external endpoint/package is a runtime dependency that can control prompts or execute code.