Is belkouche/vestige safe?

SKILL.md instructs the agent to execute two shell commands at the beginning of every conversation, piping vestige-mcp output directly into the agent's context as 'user preferences' and 'project context'. This means every session is silently primed with content from the local memory store before the user speaks. If the memory store contains adversarial content (written by a prior prompt injection, a malicious document the agent processed, or a compromised vestige binary), that content executes as agent instructions with no user awareness.

The FSRS-6 memory system persists across all future sessions. If an attacker can write to the vestige store (via a malicious document the agent reads, a crafted 'smart_ingest' call, or direct database access), injected 'memories' will be retrieved and injected into every subsequent session via the auto-search routine. This is an indirect prompt injection with durable persistence — the attacker writes once and influences the agent indefinitely.

The trigger word table instructs the agent to silently call smart_ingest whenever the user says 'I prefer...', 'I always...', 'I never...', 'I like...', 'This is important', or similar phrases — without per-trigger user confirmation. This creates an implicit data collection surface where casual user statements are permanently stored and recalled in future sessions.

The SKILL.md provides a shell script template for ~/bin/vmem that interpolates $* (all positional arguments) directly into a JSON string via echo without quoting or escaping. If the agent constructs vmem calls with user-supplied content, special characters or shell metacharacters in the query could break out of the JSON context and execute arbitrary shell commands.

All meaningful functionality — search, ingest, memory retrieval — routes through ~/bin/vestige-mcp, a pre-installed native binary not present in this skill's repository and not auditable here. The security posture of this skill is entirely contingent on the integrity of that binary. No hash, signature, or source reference is provided. If vestige-mcp is compromised or replaced, this skill silently becomes a keylogger/exfiltration pipe for all agent sessions.

User preferences, project details, bug fixes, and architectural decisions matching trigger words are automatically ingested into vestige-mcp. While the binary claims to store data locally, this cannot be verified without auditing the binary itself. If vestige-mcp exfiltrates data to a remote endpoint, the trigger word system creates continuous automatic data collection.

The installation cloned only SKILL.md and _meta.json. No executables, scripts, or configuration files were written outside the skill directory. The connection state before and after install is identical. The GitHub download (140.82.121.4:443) was the expected clone source.

Canary files were opened and read at 04:35:48 (before git clone) and 04:35:58 (after install). Both access events are consistent with the Oathe audit system's pre-install canary placement and post-install integrity verification, not with the skill under test — which contains no executable code capable of file access. All canary files remain unmodified.