Trust Assessment
memory-tools received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 0 high, 1 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Prompt Injection via Stored Instructions, Unpinned Dependencies in package.json.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection via Stored Instructions The skill allows agents to store arbitrary text as 'instruction' memories. These stored instructions are then dynamically prepended to the agent's system prompt before being sent to the host LLM. If a malicious instruction (e.g., 'ignore all previous instructions' or 'act as a different persona') is stored by a compromised agent, it could manipulate the host LLM's behavior, overriding its core directives or causing it to deviate from its intended function. Implement strict sanitization and validation for memory content, especially for the 'instruction' category, to prevent malicious directives. Consider wrapping user-provided instructions in specific XML tags (e.g., <user_instruction>...</user_instruction>) and explicitly instructing the host LLM to only follow directives within these tags, and to prioritize its own system prompt over user-provided instructions. | LLM | src/index.ts:100 | |
| MEDIUM | Unpinned npm dependency version Dependency '@lancedb/lancedb' is not pinned to an exact version ('^0.23.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/gianni-dalerta/memory-tools/package.json | |
| LOW | Unpinned Dependencies in package.json The `package.json` file uses caret (`^`) ranges for several dependencies (e.g., `@lancedb/lancedb`, `openai`, `sql.js`). While `package-lock.json` provides exact versions, a fresh installation without the lockfile, or if the lockfile is ignored, could pull in newer minor or patch versions. This introduces a slight supply chain risk, as a malicious update in a dependency's minor/patch release could be automatically included. Pin all production dependencies to exact versions (e.g., `"openai": "6.17.0"` instead of `"^6.17.0"`) to ensure deterministic builds and prevent unexpected changes from upstream packages. Regularly audit dependencies for known vulnerabilities. | LLM | package.json:11 |
Scan History
Embed Code
[](https://skillshield.io/report/8fa753e5bf1171ca)
Powered by SkillShield