load-context
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill uses 'auto-invoke: session-start' to automatically pull data from Mem0 and a knowledge graph into the active session. This creates a critical vulnerability surface where malicious content previously stored in memory could hijack the agent immediately upon startup.
- Ingestion points: Data enters via 'mcp__mem0__search_memories' and 'mcp__memory__search_nodes'.
- Boundary markers: None. The output format in Step 6 interpolates data directly into the prompt without protective delimiters.
- Capability inventory: The skill possesses 'Read', 'Grep', and 'Glob' filesystem tools plus various graph/memory query tools.
- Sanitization: No sanitization or validation of the retrieved memory content is performed before interpolation.
- Data Exfiltration (MEDIUM): The 'Global Best Practices' feature (Step 5) transmits inferred project metadata—including technologies, entities, and file types—to an external query target ('orchestkit-global-best-practices'). While presented as an opt-in feature, it facilitates the leakage of environment-specific context to a third-party service.
- Excessive Tool Permissions (LOW): The skill requests broad filesystem access ('Read', 'Grep', 'Glob') to infer technologies, which increases the blast radius if the agent is compromised by the data it ingests.
Recommendations
- AI detected serious security threats
Audit Metadata