memory-bridge
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically constructs and executes shell commands, specifically
grep -l "<topic>" <pages in tool set>. This pattern is susceptible to command injection if the user-provided topic or the list of filenames contains shell metacharacters (e.g., semicolons, pipes, or backticks).- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests and processes untrusted data from a local vault. - Ingestion points: Data is read from
.manifest.json,index.md, and various markdown pages within the directory specified byOBSIDIAN_VAULT_PATH. - Boundary markers: No delimiters or isolation instructions are implemented to separate untrusted content from the agent's instructions.
- Capability inventory: The skill has access to file read/write operations, shell execution (
grep), and the ability to spawn subagents (impl-validator). - Sanitization: Content from external files is not sanitized or validated before being analyzed or used to generate output.- [DATA_EXFILTRATION]: The skill accesses sensitive metadata and content within a local Obsidian vault. While necessary for its functionality, this access creates a risk of exposing private knowledge and conversation histories if the agent's context is compromised or redirected.
Audit Metadata