continuous-learning-v2
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill observes and records user prompts and tool outputs to local log files (
observations.jsonl). While it attempts to scrub secrets using regular expressions, this creates a comprehensive record of user activity that could contain sensitive information. - [EXTERNAL_DOWNLOADS]: The
instinct-cli.pyscript allows importing data from arbitrary URLs via theimportcommand. While the content is parsed as YAML and not directly executed, it can influence the agent's future behavior. - [COMMAND_EXECUTION]: The skill executes shell commands (e.g.,
git,claudeCLI) through subprocesses in several scripts (detect-project.sh,instinct-cli.py,observer-loop.sh). These are used for project detection and background analysis. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. A background agent analyzes session logs to create new instructions ('instincts'). Malicious content repeated in tool outputs or prompts could trick the system into generating harmful instructions that persist across sessions.
- Ingestion points:
~/.claude/homunculus/projects/*/observations.jsonl(captured from tool outputs and user prompts). - Boundary markers: None are present in the observation logs.
- Capability inventory: The generated instincts can instruct the agent to use any available tools (e.g.,
Edit,Bash,Grep). - Sanitization: Secret scrubbing is performed on logs, but no semantic validation is applied to the learned patterns.
Audit Metadata