Skills
skills/miles990/multi-agent-workflow/memory-commit/Gen Agent Trust Hub

memory-commit

Fail

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The framework uses privileged commands and persistent mechanisms.
  • The utility script _shared/tools/dependency-utils.sh includes a function maw_install_system_package that executes sudo apt-get install to install system dependencies such as jq during the setup process.
  • The installation script _shared/tools/hooks/install-hooks.sh automatically installs hook scripts into the user's home directory (~/.claude/hooks/) and modifies the global configuration file (~/.claude/settings.json), establishing persistence in the agent's runtime environment.
  • Extensive usage of subprocess.run and subprocess.Popen to execute shell commands for git operations, tool invocation, and environment setup across the CLI tool (_cli/cli/orchestrator/agent_caller.py) and various hook scripts.
  • [EXTERNAL_DOWNLOADS]: The system performs runtime installation of third-party code.
  • The module _cli/cli/dependencies.py and the utility _shared/tools/yaml_compat.py automatically execute pip install to fetch and install Python packages (typer, rich, pydantic, PyYAML) from external registries when dependencies are missing.
  • [PROMPT_INJECTION]: The framework has a significant attack surface for indirect prompt injection.
  • As described in _shared/coordination/reduce-phase.md and _shared/synthesis/cross-validation.md, the "Reduce Phase" ingests and processes reports generated by agents in earlier stages.
  • Ingestion points: Files matching .claude/memory/{type}/{id}/perspectives/*.md are ingested into the agent context in _shared/coordination/reduce-phase.md for synthesis.
  • Boundary markers: The provided instructions do not mention the use of delimiters or warnings to ignore instructions embedded in the ingested reports.
  • Capability inventory: The orchestrator and subsequent agents have access to powerful tools like Bash and can execute commands via subprocess.run (as seen in _cli/cli/orchestrator/agent_caller.py).
  • Sanitization: No sanitization or escaping of ingested report content is defined before interpolation into prompts, allowing malicious content in an ingested report to potentially influence subsequent workflow decisions or execute arbitrary commands.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 12, 2026, 04:06 AM
Security Audit — agent-trust-hub — memory-commit