memory-bank

SUSPICIOUS. The skill is not overtly malicious and its behaviors mostly align with a combined memory/workflow toolkit, but its footprint is unusually broad: global config installation, many hooks, autonomous session logging/summarization, code indexing, research ingestion, and a self-update path. Main concerns are scope proportionality, prompt-injection exposure from processing untrusted content while retaining write/exec capability, and medium supply-chain risk until the upgrade/install provenance is verified.

The Pi adapter is operational for basic workflows but exhibits significant architectural and documentation gaps that undermine secure and reliable deployment. Key remediation priorities include aligning documentation with capabilities (remove claims of native subagents and hooks for Pi), implementing a safe sequential fallback path for parallel pipeline (or removing parallel expectations), addressing hook/tool guardrails (or clearly declaring absence), and cleaning up dead extension code or wiring it properly with CI validation. Strengthening tests to cover critical flows is essential to prevent regressions and misconfigurations.

The specification outlines a sound, layered approach to building a configurable multi-stage pipeline with explicit precedence and guardrails. The primary security concerns derive from implementation fidelity, script integrity, and configuration correctness rather than intrinsic malicious content in the design. Recommend rigorous input validation, integrity verification of external scripts, and comprehensive tests for boundary conditions (conflicts, overrides, missing prerequisites) to minimize misconfigurations and ensure consistent, safe behavior across all layers.

No explicit malicious payload is evident in this updater script (no obfuscation, credential handling, exfiltration, or suspicious network destinations). The primary security concern is supply-chain execution trust: it fast-forwards a git repo from origin and then executes install.sh from the updated content without integrity pinning/signature/origin validation. If the upstream repository or origin transport is compromised, this script can become an arbitrary code execution conduit. Review/lock down the expected origin, consider pinning/verifying commits or signatures, and treat install.sh as untrusted code until validated.

No direct malware or exfiltration logic is visible in this fragment. However, it is a high-impact orchestration layer that executes many local shell scripts from `~/.claude/...` across write/edit/task and session lifecycle events, and it explicitly injects local markdown (`~/.claude/CLAUDE.md`) as agent context. The security posture therefore depends entirely on the contents and integrity of the invoked hook scripts; they must be reviewed for malicious behavior and checked for integrity/ownership/permissions. Overall risk is moderate due to unverified delegated execution and sensitive context handling.

No clear evidence of intentional malware (e.g., data theft, backdoors, network exfiltration) is present in the provided fragment. The main security weakness is the use of eval on stdout from a local script under ~/.claude/... (mb-metrics.sh), which can turn compromised/attacker-controlled output into arbitrary shell command execution. Additionally, the fragment does not include the actual migration file-writing and apply/testing implementations, so stated safeguards (destructive-operation confirmation gating, rollback/idempotency enforcement, sanitization of $ARGUMENTS into SQL) cannot be verified here.

This module is a path-resolution/bootstrapper that escalates from filesystem/environment discovery to dynamic execution by dot-sourcing a resolved scripts/_lib.sh via `bash -c`. While it does not itself show overt exfiltration or credential theft, it creates a meaningful supply-chain/local-tampering risk: if the discovered _lib.sh can be influenced (MB_SKILL_ROOT override or compromised/tampered HOME skill directories), arbitrary code can execute in the hook context. Further assurance requires reviewing scripts/_lib.sh and mb_registry_lookup for malicious behavior and for defensive validation of trusted locations.

The overall risk is moderate, dominated by the self-update mechanism and per-user write paths for IDE integrations. Key mitigations include: (a) implement and document cryptographic signing and integrity verification for updates with pinning and rollback capabilities; (b) minimize and tightly control per-user writes, ensure proper directory permissions, and isolate update payloads; (c) audit environment variable handling to prevent leakage of sensitive data and enforce least-privilege. No explicit malicious code is identified, but the update and integration flows warrant a rigorous security review before deployment.