Trust Assessment
agent-memory received a trust score of 74/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary file read/write via user-controlled database path, Full-Text Search (FTS) query injection via `recall` method.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file read/write via user-controlled database path The `AgentMemory` class constructor accepts a `db_path` argument, which is directly used to create or connect to an SQLite database file. The CLI wrappers (`cli/entity.py`, `cli/fact.py`, `cli/learn.py`) expose this `db_path` as a command-line argument (`--db`). An attacker or a compromised AI agent could specify an arbitrary file path, potentially leading to:
- **Data Exfiltration**: Attempting to open sensitive system files (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`) as a SQLite database. While unlikely to succeed in parsing, the attempt itself could be used to probe file existence or permissions.
- **Data Corruption/Overwrite**: Overwriting existing files with SQLite database content if the agent has write permissions to the specified path.
- **Denial of Service**: Filling up disk space by writing large database files to an unprivileged location.
This grants the skill excessive filesystem permissions beyond its intended scope of managing memory within a dedicated directory. 1. **Restrict `db_path`**: Disallow arbitrary `db_path` specification. Force the database to be within a designated, sandboxed directory (e.g., `~/.agent-memory/` or a temporary directory). 2. **Path Validation**: If custom `db_path` is necessary, validate the path to ensure it is within an allowed directory (e.g., `Path.is_relative_to` a base directory) and does not contain directory traversal sequences (`..`). 3. **Permissions**: Ensure the AI agent runs with the principle of least privilege, limiting its filesystem access. | LLM | src/memory.py:69 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/dennis-da-menace/agent-memory/SKILL.md:1 | |
| MEDIUM | Full-Text Search (FTS) query injection via `recall` method The `recall` method in `AgentMemory` uses SQLite's FTS5 `MATCH` operator with a user-provided `query` string. While the `?` placeholder prevents direct SQL injection, it does not prevent FTS query injection. An attacker or a compromised AI agent could craft a `query` string containing FTS5 operators (e.g., `AND`, `OR`, `NOT`, `NEAR`, `*`, `^`) to manipulate search results, perform overly broad searches, or potentially cause a denial of service by submitting computationally expensive FTS queries. This could lead to unexpected behavior or resource exhaustion. 1. **Sanitize FTS Query**: Implement a sanitization step for the `query` string before passing it to the `MATCH` operator. This could involve escaping FTS special characters or restricting the query to simple keywords. 2. **Restrict FTS Operators**: If advanced FTS features are desired, explicitly define and validate allowed operators, or provide a separate interface for advanced queries. 3. **Resource Limits**: Implement resource limits (e.g., query timeout) to mitigate potential DoS attacks from complex FTS queries. | LLM | src/memory.py:260 |
Scan History
Embed Code
[](https://skillshield.io/report/81eabd81c2b5ff01)
Powered by SkillShield