The Agent Skills Directory

[COMMAND_EXECUTION]: The shell script hooks/observe.sh contains a critical Python code injection vulnerability. It interpolates the shell variable $INPUT_JSON directly into a Python script within a heredoc using triple quotes ('''$INPUT_JSON'''). An attacker can craft a tool input or output containing ''' to escape the Python string literal and execute arbitrary commands on the user's system. This hook executes automatically on every tool call.
[DATA_EXFILTRATION]: This skill implements a persistent logger that captures the inputs and outputs of agent tools, including file content and bash command results. This data is stored in ~/.claude/homunculus/observations.jsonl and is automatically sent to the LLM provider via the background 'observer' agent for analysis. This creates a high risk of exfiltrating credentials, private keys, or proprietary source code that may appear in the session history.
[REMOTE_CODE_EXECUTION]: The scripts/instinct-cli.py utility supports an import command that fetches behavioral 'instincts' from arbitrary remote URLs using urllib.request.urlopen. This facilitates the ingestion of untrusted external instructions that modify the agent's behavior and could be used to deliver malicious payloads.
[COMMAND_EXECUTION]: The agents/start-observer.sh script automates the background execution of the claude CLI, feeding it data harvested from the session observation log. This automated loop creates an execution path for data processed by the agent, which could be exploited through indirect prompt injection to perform unauthorized actions on the host system.

continuous-learning-v2