Skills
skills/letta-ai/skills/letta-filesystem-to-memfs/Gen Agent Trust Hub

letta-filesystem-to-memfs

Pass

Audited by Gen Agent Trust Hub on May 24, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [SAFE]: The skill's code and instructions are consistent with its stated purpose of document ingestion and migration. No signs of malicious intent, data exfiltration, or obfuscation were found.\n- [EXTERNAL_DOWNLOADS]: The ingest command in scripts/letta_fs_to_memfs.py uses urllib.request.urlopen to download documents from user-supplied URLs. It includes a file size limit (--max-download-mb) to prevent large resource exhaustion attacks.\n- [COMMAND_EXECUTION]: The script interfaces with the external qmd CLI tool using subprocess.run. The implementation correctly uses a list of arguments rather than a single shell string, effectively preventing command injection vulnerabilities.\n- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection because it ingests untrusted content from external sources (URLs and local files). \n
  • Ingestion points: Document ingestion occurs in scripts/letta_fs_to_memfs.py via the download_source and load_docs functions.\n
  • Boundary markers: The script wraps extracted text in markdown files with YAML frontmatter and clear headers (e.g., # {title} \u2014 chunk {idx}/{total}).\n
  • Capability inventory: The skill can execute the qmd tool via subprocess.run and perform file writes to the specified memory directory.\n
  • Sanitization: The tool performs text extraction from complex formats (like PDF) and normalizes whitespace, which removes some non-textual attack vectors, though it does not filter the semantic content of the documents.
Audit Metadata
Risk Level
SAFE
Analyzed
May 24, 2026, 05:31 AM
Security Audit — agent-trust-hub — letta-filesystem-to-memfs