The Agent Skills Directory

[DATA_EXFILTRATION]: The skill captures and logs all tool inputs and outputs to local storage at ~/.agent-learning/. While this data remains on the host, it represents a significant exposure of sensitive session history and developer workflows.
Evidence: plugins/continuous-learning.js and hooks/observe.sh log events to observations.jsonl files.
[DATA_EXFILTRATION]: The secret redaction mechanism in the OpenCode plugin uses an invalid regular expression syntax ((?i)), which is likely to cause the redaction function to fail or crash the plugin in most JavaScript environments, potentially leaving credentials exposed in the logs.
Evidence: plugins/continuous-learning.js line 16.
[COMMAND_EXECUTION]: The skill's setup process involves modifying the host environment by creating directories and installing a plugin into the agent's configuration folder.
Evidence: SKILL.md setup instructions and scripts/setup.sh perform directory creation and file copies to ~/.config/opencode/plugins/.
[EXTERNAL_DOWNLOADS]: The management CLI provides functionality to fetch and import agent instructions ('instincts') from arbitrary remote URLs.
Evidence: scripts/instinct-cli.py uses urllib.request.urlopen in the cmd_import function.
[PROMPT_INJECTION]: The skill is inherently susceptible to indirect prompt injection because its core purpose is to generate new instructions based on untrusted data from tool outputs and error messages.
Evidence: agents/observer.md describes creating instincts from session observations.
Ingestion points: observations.jsonl (logs containing tool outputs and user prompts).
Boundary markers: None identified in the observation logging or instinct generation logic.
Capability inventory: Subprocess execution (git), file system writes, and network requests (import).
Sanitization: Redaction function is present but potentially broken in the JavaScript implementation.

continuous-learning-v3