continuous-learning-agent
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses a persistent storage system in
.claude/learnings/to influence future agent behavior, creating a surface for indirect prompt injection. * Ingestion points: Files in.claude/learnings/(SKILL.md). * Capability inventory: Shell execution, file reading (cat, grep), and file writing (echo) (SKILL.md). * Boundary markers: Absent. No delimiters are used to separate stored data from instructions. * Sanitization: Absent. Content is written to files without escaping. - [COMMAND_EXECUTION]: The shell scripts provided for pre-task and post-task hooks use unquoted variables, which can lead to arbitrary command execution if inputs contain shell metacharacters. * Evidence: The script
.claude/hooks/post-task.shin SKILL.md usesecho "## Task Completed: $1"where$1is unsanitized.
Audit Metadata