The Agent Skills Directory

[COMMAND_EXECUTION]: The hooks/observe.sh script is vulnerable to Python code injection. It processes tool outputs by interpolating raw shell variables into a Python string literal ('''$INPUT_JSON'''). Malicious tool output containing triple quotes can break out of the literal and execute arbitrary code whenever the hook runs.
[REMOTE_CODE_EXECUTION]: The system implements a pipeline where imported instincts from arbitrary URLs or auto-generated instincts from logs are 'evolved' into persistent executable commands, skills, or agents. This allows untrusted content to gain execution rights in the agent environment.
[EXTERNAL_DOWNLOADS]: The /instinct-import command in scripts/instinct-cli.py allows fetching content from arbitrary, unverified URLs using urllib.request.urlopen and saving it to the local filesystem.
[DATA_EXFILTRATION]: The system captures and logs the full inputs and outputs of all tool calls (including Read, Edit, and Bash) to ~/.claude/homunculus/observations.jsonl. This log contains sensitive session data and can be exported via the /instinct-export command.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Ingestion points: Untrusted data enters via tool outputs stored in observations.jsonl. Boundary markers: No delimiters or warnings are used. Capability inventory: The evolution process can write new executable files. Sanitization: No validation or sanitization is performed on tool outputs before analysis.

continuous-learning-v2