memory-organizer
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is instructed to process conversation history and use findings to update critical configuration and instruction files (
USER.md,AGENT.md,IDENTITY.md,SOUL.md). - Ingestion points: Untrusted data enters the context via
scripts/fetch_conversations.py, which retrieves message content from a local API. - Boundary markers: There are no explicit delimiters or specific instructions for the agent to ignore or sanitize commands embedded within the retrieved messages.
- Capability inventory: The skill provides the agent with instructions and mechanisms to write directly to files that define its personality, constraints, and user-specific knowledge.
- Sanitization: The script performs basic keyword filtering for 'compression' but does not include any validation or escaping to prevent instruction injection.
- [EXTERNAL_DOWNLOADS]: The skill uses the
requestslibrary to communicate with a local API endpoint (localhost) to fetch conversation data. While the target is local, this represents an external data dependency. - [DATA_EXFILTRATION]: The script
scripts/fetch_conversations.pycontains a hardcoded file path (/Users/zhangzheng/.sage) in theget_available_agentsfunction, which exposes the author's local system structure and limits the skill's portability.
Audit Metadata