evolve
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python CLI tool located at
~/.claude/skills/continuous-learning-v2/scripts/instinct-cli.pyto analyze data and generate new instruction files. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It reads "instincts"—which typically represent past user interactions or tool outputs—and uses this untrusted data to generate new, permanent instructions (skills/commands) for the agent.
- Ingestion points: Reads all files from the
~/.claude/homunculus/instincts/directory. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands within the source data are defined.
- Capability inventory: The skill possesses the
Bash,Read,Write,Grep, andGlobtools, allowing it to modify the agent's operational environment by writing to~/.claude/homunculus/evolved/. - Sanitization: There is no evidence of sanitization or validation of the instinct content before it is incorporated into generated markdown files.
- [DATA_EXFILTRATION]: The skill performs broad read operations on internal agent data stored in
~/.claude/homunculus/instincts/. While no network transmission is observed in this script, it exposes sensitive operational history and internal state to the processing logic.
Audit Metadata