memory-search
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill's instructions include shell command templates that incorporate a search query placeholder (e.g.,
npx ruvector search "QUERY"). This pattern creates a potential command injection vulnerability if the agent interpolates unsanitized user-provided input into the shell string, which could lead to the execution of arbitrary commands on the underlying system. - [EXTERNAL_DOWNLOADS]: The skill utilizes
npxto fetch and execute packages from the NPM registry at runtime, specifically@claude-flow/cli@latestandruvector. While these appear to be components of the vendor's ecosystem, the practice of downloading and executing remote code via the@latesttag introduces a dependency on the integrity of the external registry and the package maintainer's account.
Audit Metadata