continuous-learning
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the conversation transcript to generate and save new instructions for the agent.
- Ingestion points: The entire current conversation transcript is scanned for patterns in SKILL.md.
- Boundary markers: No programmatic boundary markers are used to separate untrusted session content from the extracted logic; the skill relies on a manual user confirmation step (
AskUserQuestion) which may be bypassed or subverted by a poisoned transcript. - Capability inventory: The skill writes Markdown files with YAML frontmatter to
.claude/skills/learned/and~/.claude/skills/learned/, which are interpreted as skills in subsequent sessions. - Sanitization: No sanitization, escaping, or validation of the extracted content is performed before writing it to the filesystem.
- [DATA_EXFILTRATION]: The 'Continuous Learning' process may capture sensitive information present in the session history—such as API keys, environment variables, or private code snippets—and save them to disk in the
learned/directory. This creates a risk of local data exposure if the filesystem is shared or the skills are moved between environments.
Audit Metadata