woostack-init
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill implements a memory recall system that processes untrusted data which is then injected into the agent's prompt context.
- Ingestion points: The
recall.shscript reads Markdown files from the.woostack/memory/directory based on path matching. - Boundary markers: Notes are rendered using a simple Markdown header (
### [name]) without explicit instructions for the agent to ignore embedded commands or instructions within the retrieved content. - Capability inventory: The skill and its associated scripts have the capability to write files (
lib.sh), execute shell commands (SKILL.md,recall.sh), and interact with the git repository (resolve-base.sh,scope-match.sh). - Sanitization: No escaping or validation is performed on the content of the memory notes before they are interpolated into the output stream for the agent.
- [COMMAND_EXECUTION]: The skill relies on multiple local bash scripts (
scripts/build-index.sh,scripts/recall.sh,scripts/graph.sh, etc.) to perform its core functions. These scripts utilize standard Unix utilities likegrep,sed,awk, andgitto manage the.woostackworkspace. - [EXTERNAL_DOWNLOADS]: The skill references a sibling dependency on
woostack-doctor(located at../woostack-doctor/scripts/doctor.sh). This script is executed during the initialization and repair procedures.
Audit Metadata