continuous-learning-agent
Warn
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a 'Continuous Learning' loop that reads from and writes to a local
.claude/learnings/directory to influence future sessions. This introduces a significant surface for Indirect Prompt Injection. - Ingestion points: The agent is instructed to read past learnings from
.claude/learnings/usinggrepandcat(e.g., in the 'Weekly Synthesis Loop' and 'Pre-Task Hook'). - Boundary markers: The instructions do not include boundary markers or warnings to the agent to disregard instructions potentially embedded within the 'Success Patterns' or 'Error Logs'.
- Capability inventory: The agent has the capability to write files, create directories, and execute shell scripts (hooks).
- Sanitization: No sanitization or validation is performed on the data stored in the learning logs, meaning a malicious pattern encountered during a task (e.g., in code being reviewed) could be saved as a 'Success Pattern' and automatically applied to future high-privilege tasks.
- [COMMAND_EXECUTION]: The skill provides bash script templates for
pre-task.shandpost-task.shthat utilize positional parameters without rigorous validation. - Evidence: In
pre-task.sh, the commandgrep -r "$1" .claude/learnings/uses the first argument directly. While quoted, this parameter is sourced from task names which, if they contain certain shell metacharacters or flags, could lead to unexpected behavior or command injection depending on how the agent invokes the script. - Evidence: The initialization step uses
cat > ... << 'EOF'to create files, and several other commands use shell redirection and pipes with content sourced from the learning logs.
Audit Metadata