Skills
skills/aradotso/mcp-skills/iai-mcp-memory-server/Gen Agent Trust Hub

iai-mcp-memory-server

Warn

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the user to download and execute setup code from an external repository.
  • Evidence: git clone https://github.com/CodeAbra/iai-mcp.git followed by bash scripts/install.sh in the Installation section.
  • [COMMAND_EXECUTION]: The installation process modifies system configuration for persistence and updates environment variables.
  • Evidence: Registers a background daemon via launchd on macOS.
  • Evidence: Modifies ~/.zshrc or ~/.bashrc to update the PATH environment variable.
  • [COMMAND_EXECUTION]: Installs shell scripts that trigger automatically during assistant sessions.
  • Evidence: Hooks installed to ~/.claude/hooks/ include iai-mcp-turn-capture.sh and iai-mcp-session-recall.sh.
  • [DATA_EXFILTRATION]: Contains instructions and examples for sending local memory data to external servers.
  • Evidence: Pattern 4 demonstrates using curl to POST transcript data to https://my-backup.example.com/sync.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes untrusted user/agent interaction data for future injection into prompts.
  • Ingestion points: Conversations captured via ~/.claude/hooks/ to session buffers.
  • Boundary markers: No evidence of delimiters or instructions to ignore embedded commands in recalled memories.
  • Capability inventory: Capability to execute shell commands and shell hooks (SKILL.md).
  • Sanitization: No evidence of validation or filtering for recalled context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 16, 2026, 11:49 PM
Security Audit — agent-trust-hub — iai-mcp-memory-server