limitless-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a significant vulnerability surface due to the combination of untrusted data ingestion and high-privilege execution capabilities. Ingestion points: Lifelogs and chat messages retrieved via the Limitless API (api-client.md) or local JSON files (domain-extract.py). Boundary markers: No explicit delimiters or instructions to ignore embedded commands are documented for the extraction or query generation prompts. Capability inventory: Raw Cypher query execution via 'graph query' (database-schema.md) and JavaScript code execution via pipeline 'transform' nodes (pipeline-dsl.md). Sanitization: No evidence of validation or escaping for external content used in these operations.
- [Remote Code Execution] (HIGH): The Pipeline DSL (pipeline-dsl.md) allows for the execution of arbitrary JavaScript expressions at runtime within 'transform' nodes using the pattern 'transform: | data.filter(...)'. This creates a risk if pipeline definitions or the data they process are influenced by adversarial input.
- [Command Execution] (MEDIUM): Shell scripts included in the skill (graph-health.sh, validate-pipeline.sh) perform system operations including Docker container management ('docker compose up -d') and YAML validation using external tools ('yq').
Recommendations
- AI detected serious security threats
Audit Metadata