para-memory-files
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the 'qmd' command-line tool for essential operations including indexing the agent's home directory ('qmd index $AGENT_HOME') and performing semantic or keyword searches ('qmd query', 'qmd search', 'qmd vsearch') to recall memory content.
- [PROMPT_INJECTION]: A significant indirect prompt injection surface exists because the skill ingests and stores facts, notes, and lessons from user interactions and external data sources without validation, sanitization, or boundary markers. When this information is later retrieved to populate summaries or context, it could contain malicious instructions that override agent behavior. Ingestion points include 'life/items.yaml', 'memory/YYYY-MM-DD.md', and 'plans/'.
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to modify core system files such as 'AGENTS.md', 'TOOLS.md', and existing skill files to 'learn lessons' or 'document mistakes'. This capability, when combined with the ingestion of untrusted data, provides a direct mechanism for persistent prompt injection or unauthorized modifications to the agent's core operating principles.
- [DATA_EXFILTRATION]: The PARA system organizes and stores highly specific user data, including personal relationships, project details, and 'tacit knowledge' about user patterns, in a centralized structure within '$AGENT_HOME'. While intended for personalization, this aggregates sensitive context that would otherwise be ephemeral, increasing the impact of any potential data exposure.
Audit Metadata