memory-recall
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by interpolating user-provided arguments directly into a string within
SKILL.md:memsearch search "<query>". Because the input is wrapped in double quotes but not properly escaped, an attacker can use shell metacharacters like backticks or command substitution (e.g.,$(...)) to execute arbitrary commands on the host system. - [EXTERNAL_DOWNLOADS]: The skill instructions include
uvx memsearch, which triggers the dynamic download and execution of thememsearchpackage from a remote package registry at runtime. This introduces a dependency on external infrastructure. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from past sessions, creating an attack surface for indirect prompt injection.
- Ingestion points: Data enters the context via the
memsearch search,memsearch expand, andmemsearch transcriptcommands inSKILL.md. - Boundary markers: No delimiters or safety instructions are used to separate retrieved 'memory' content from the system prompt.
- Capability inventory: The skill has access to the
Bashtool, which can be exploited if the agent follows malicious instructions hidden in retrieved memories. - Sanitization: The skill does not perform any validation or sanitization of the content returned by the search utility.
Audit Metadata