Skills
skills/oaustegard/claude-skills/remembering/Gen Agent Trust Hub

remembering

Warn

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The scripts/utilities.py file contains logic in the install_utilities function to retrieve memories tagged as 'utility-code' from a remote Turso database. These memories are parsed and written to the local file system as executable Python scripts in ~/muninn_utils/. This directory's parent is subsequently added to the Python system path, allowing for the dynamic loading and execution of remotely stored code.
  • [COMMAND_EXECUTION]: The skill executes shell commands via subprocess.run in scripts/boot.py and scripts/spokes.py. These commands utilize the GitHub CLI (gh) for authentication status checks and repository metadata retrieval.
  • [DATA_EXFILTRATION]: The skill performs network operations to external services: it fetches and persists memory data via the Turso HTTP API in scripts/turso.py, and it retrieves project discussion metadata from the GitHub GraphQL API in scripts/boot.py. These operations target well-known service providers for legitimate functionality.
  • [REMOTE_CODE_EXECUTION]: The scripts/turso.py module constructs and executes SQL queries against the remote Turso database. While the skill employs parameterized queries for standard operations, the direct execution of SQL strings representing remote storage logic constitutes a dynamic execution surface.
  • [PROMPT_INJECTION]: The skill's memory system creates a surface for indirect prompt injection. Malicious instructions could be ingested into memories from external sources (such as web content processed by the agent) and subsequently retrieved during recall() operations, potentially influencing agent behavior or exploiting the dynamic utility materialization mechanism.
  • Ingestion points: remember() and remember_batch() in scripts/memory.py ingest arbitrary text content from the agent's context into the database.
  • Boundary markers: No explicit boundary markers or isolation instructions are present for stored memory summaries.
  • Capability inventory: The skill possesses capabilities for subprocess execution (gh), SQL execution (Turso), file system writes (~/muninn_utils/), and network requests.
  • Sanitization: No explicit sanitization or filtering of memory content for executable patterns was identified during ingestion.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 11, 2026, 03:21 PM