memory-search
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection surface. The skill allows the agent to store arbitrary content from user interactions and retrieve it later to provide context for future tasks. This creates a vulnerability where an attacker could provide instructions that are 'remembered' by the agent and later executed when retrieved, potentially leading to unauthorized actions in a different session.\n
- Ingestion points: The
memory_storetool call (in SKILL.md) accepts arbitrary 'content' strings for storage.\n - Boundary markers: There is no documentation or evidence of delimiters (e.g., XML tags or specific 'ignore' instructions) being used when retrieved memory content is injected back into the prompt context.\n
- Capability inventory: Memories are retrieved through
memory_search,memory_get, andmemory_recenttool calls across all sessions.\n - Sanitization: No sanitization, filtering, or validation is implemented for the stored content to prevent the persistence of executable instructions.
Audit Metadata