instinct-export
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses
~/.claude/homunculus/instincts/personal/, which contains sensitive internal agent state and learned behaviors. While the skill includes instructions to scrub sensitive identifiers, reading from internal configuration directories constitutes exposure of agent metadata. - [COMMAND_EXECUTION]: The skill utilizes
Bash,Read,Write,Grep, andGlobto filter and export data. This allows for arbitrary file system operations and shell execution to fulfill the export request, which could be exploited to read or write data outside the intended scope if input flags (like--output) are manipulated. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes and exports data that may contain untrusted content.
- Ingestion points: Data is read from the local instincts directory (
~/.claude/homunculus/instincts/personal/). - Boundary markers: None defined; processed content is treated as data for export without explicit delimiters to prevent the agent from obeying instructions embedded in the instincts.
- Capability inventory: The skill has access to
Bash,Read,Write,Grep, andGlobtools. - Sanitization: The skill attempts to strip session IDs, file paths, and old timestamps, but does not sanitize the core 'action' or 'trigger' fields for malicious instructions that could affect downstream users who import the exported files.
Audit Metadata