recall
Fail
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The execution logic in
SKILL.mduses string interpolation to place user-supplied input (<ARGS>) directly into a shell command:uv run python scripts/core/recall_learnings.py --query "<ARGS>". An attacker can use shell metacharacters such as semicolons, backticks, or pipes to break out of the query argument and execute arbitrary shell commands. - [REMOTE_CODE_EXECUTION]: The command injection vulnerability allows an attacker to execute arbitrary code on the host machine running the agent.
- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by querying and displaying 'learnings' from past sessions. If malicious instructions were previously stored in the memory system, they could be retrieved and interpreted as instructions by the agent during the recall process.
- [PROMPT_INJECTION]: (Category 8 Evidence Chain) 1. Ingestion point: PostgreSQL database queried by
scripts/core/recall_learnings.py. 2. Boundary markers: Absent; results are displayed as raw text within Markdown headers. 3. Capability inventory: The skill facilitates shell command execution via theuv runentry point. 4. Sanitization: No validation or sanitization of database content is performed before presentation to the agent.
Recommendations
- AI detected serious security threats
Audit Metadata