continuous-learning
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an automated learning mechanism that processes session transcripts to extract reusable patterns. This creates a surface for indirect prompt injection (Category 8) because transcripts contain untrusted data from the user and external tool outputs. If an attacker-controlled session contains malicious instructions, they could be saved to the permanent
~/.claude/skills/learned/directory and influence future sessions. - Ingestion points: The
evaluate-session.shscript reads session transcripts from a path provided via stdin (thetranscript_path). - Boundary markers: The provided code and instructions do not specify boundary markers or 'ignore' instructions for the pattern extraction process.
- Capability inventory: The skill uses the
Stophook system to trigger theevaluate-session.shscript which interacts with the file system. - Sanitization: There is no explicit sanitization or validation logic shown for the content extracted from transcripts before it is proposed as a new skill.
- [COMMAND_EXECUTION]: The skill requires the configuration of a shell command (
evaluate-session.sh) to run automatically at the end of every Claude Code session via the platform's hook system. While the current implementation of the script is primarily for metadata checking (session length and path), the pattern establishes a mechanism for automated execution of local scripts based on session lifecycle events.
Audit Metadata