memos
Fail
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill includes a hardcoded authentication secret in the configuration file.
- Evidence: The
.envfile contains the lineMEMOS_ACCESS_TOKEN=memos_pat_KgThSDbQeBJorb8OX7LA7QadbRjc6kOv. - [COMMAND_EXECUTION]: The skill requires the agent to execute local JavaScript scripts via a runtime to interact with the API.
- Evidence:
docs/setup.mdandSKILL.mdinstruct the agent to execute$RUNTIME "$API_SCRIPT"to perform all memos-related actions. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by processing untrusted data from a remote Memos instance without adequate protection.
- Ingestion points: Memo content and comments are retrieved from an external API in
scripts/actions/memo.cjsandscripts/actions/comment.cjs. - Boundary markers: Absent. Retrieved memo content is displayed directly to the agent's context without delimiters or specific instructions to ignore embedded commands within the data.
- Capability inventory: The skill allows the agent to execute shell commands (running the
api.cjsscript) and perform authenticated network operations (CRUD operations on the Memos instance). - Sanitization: While
scripts/sanitize.cjsprovides keyword-based redaction for secrets (e.g., tokens, passwords), it does not sanitize content to prevent structural prompt injection or command sequence escapes.
Recommendations
- AI detected serious security threats
Audit Metadata