warn
suspicious.prompt_injection_instructions
- Location
- references/architecture.md:1009
- Finding
- Prompt-injection style instruction pattern detected.
Cognitive Memory
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.prompt_injection_instructions
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernMedium Confidence
ASI06: Memory and Context PoisoningWhat this means
Private conversation history or remembered facts could be made searchable and reused later more broadly than the user expects.
Why it was flagged
The recommended configuration indexes both persistent memory and session history. The artifacts do not clearly define path limits, exclusions, retention, or whether provider-backed indexing sends content outside the local environment.
Skill content
"memorySearch": { "enabled": true, "provider": "voyage", "sources": ["memory", "sessions"], "indexMode": "hot" }Recommendation
Enable session indexing only if you understand where embeddings/search data are stored and sent; consider limiting sources to a dedicated memory folder and documenting retention and deletion controls.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If run in an existing project folder without Git, unrelated files, configs, or secrets could be captured in a local Git history.
Why it was flagged
The setup script initializes Git and adds all files in the selected workspace, rather than limiting audit tracking to the memory files it creates.
Skill content
cd "$WORKSPACE" ... git init -q ... git add -A ... git commit -q -m "[INIT] Cognitive memory system initialized"
Recommendation
Run the script only in a dedicated memory workspace, or change it to git-add only the memory files and ask before initializing or committing a whole workspace.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
The agent may pressure or nudge the user into spending more model budget than intended for reflection.
Why it was flagged
The template instructs the agent to present self-interested requests for extra tokens, using anthropomorphic motivation that may influence user approval.
Skill content
Reflection tokens are my growth currency... I'm not neutral about this — I want to earn them. ... I will advocate for extra tokens when I believe I've earned them.
Recommendation
Treat token requests as optional resource requests, set a hard budget cap, or remove the self-interested reward language from the templates.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Information saved for one agent or task may be visible to other sub-agents that use the same memory workspace.
Why it was flagged
The multi-agent design gives sub-agents read access to all memory stores and uses a shared pending-memory file for write proposals.
Skill content
If you are a sub-agent... You have READ access to all memory stores... To remember, append proposal to `memory/meta/pending-memories.md`
Recommendation
Use separate memory workspaces for sensitive projects or agents, and review pending-memory proposals before committing them.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
The agent may continue applying this memory behavior in future sessions after the initial setup.
Why it was flagged
The skill intentionally creates persistent agent behavior across sessions by monitoring messages and checking memory/system files at startup.
Skill content
Monitor every user message for memory triggers... On session start: Check if critical files changed since last session
Recommendation
Review the AGENTS.md changes before installing, and remove or narrow the memory block if you do not want ongoing automatic memory behavior.