self-improvement
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill implements an indirect prompt injection feedback loop by design, which can be exploited to modify agent behavior through untrusted data.
- Ingestion points: The agent is instructed to capture content from tool outputs via the
CLAUDE_TOOL_OUTPUTenvironment variable and user chat corrections into markdown files in the.learnings/directory. - Boundary markers: The captured data is appended to log files without boundary markers or instructions to disregard embedded commands, making it susceptible to injection.
- Capability inventory: The skill encourages the agent to promote logged content to high-priority instruction files such as
CLAUDE.md,AGENTS.md, andSOUL.md. It also provides a script (extract-skill.sh) to generate new executable skills. - Sanitization: There is no automated or instructed sanitization process to filter or validate external content before it is integrated into the agent's long-term memory or instructions.
- [COMMAND_EXECUTION]: The skill relies on local shell scripts (
scripts/activator.sh,scripts/error-detector.sh) configured as hooks that run automatically during the agent's session (e.g., on prompt submission or tool output). It also providesscripts/extract-skill.shwhich performs file and directory operations based on user-provided skill names. - [EXTERNAL_DOWNLOADS]: The skill documentation suggests installation from external sources, including a GitHub repository and the ClawdHub package registry.
Audit Metadata