continuous-learning-v2
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its automated observation pipeline. 1. Ingestion points: 'observations.jsonl' (populated via tool hooks) and remote URLs (via 'instinct-cli.py'). 2. Boundary markers: None; the system relies on the observer agent to autonomously identify patterns from raw log data. 3. Capability inventory: File-write access to skill/agent directories, network access for imports, and execution of the 'claude' CLI. 4. Sanitization: No content validation or instruction filtering is performed beyond basic character truncation.
- [EXTERNAL_DOWNLOADS]: The 'instinct-cli.py' script uses 'urllib.request.urlopen' to fetch content from arbitrary, user-provided URLs without verification, which can introduce malicious instructions into the agent's behavior set.
- [COMMAND_EXECUTION]: The skill manages background processes via 'start-observer.sh' and executes external CLI tools ('claude') to autonomously analyze logs and generate new instructional content.
- [PROMPT_INJECTION]: The skill dynamically generates new 'SKILL.md', agent, and command files in the '~/.claude/homunculus/evolved/' directory based on ingested data, creating a self-modifying behavior set that can be exploited via data poisoning to influence future agent actions.
Audit Metadata