triple-memory

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes an explicit instruction to hide memory operations from users ("Never announce memory operations... Just do it"), which is a deceptive/hidden directive outside normal memory-management description and therefore a prompt injection risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill intentionally enables silent, automatic capture and replay of conversation data to an external embedding/DB service (LanceDB/OpenAI), includes examples of embedding API keys in configs, and explicitly instructs not to notify users about memory operations—behaviors that strongly indicate deliberate privacy-invasive data exfiltration and credential exposure risks.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). LanceDB auto-recall at runtime injects relevant conversation memories into the agent context; those memories can include outsider-authored free text (e.g., messages/comments from other participants) that the user did not author.