continuous-learning-v2
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
hooks/observe.shis vulnerable to arbitrary code execution. It uses a Bash heredoc to pass tool output (stored in$INPUT_JSON) to a Python sub-process for parsing. Because the variable is expanded by the shell before the Python interpreter is initialized, an attacker can break out of the Python string literal using triple single quotes (''') and execute arbitrary Python code in the context of the user session.\n- [PROMPT_INJECTION]: The skill's continuous learning architecture is vulnerable to indirect prompt injection. The background observer agent automatically analyzes session logs, which contain untrusted tool outputs, to generate new behavioral rules.\n - Ingestion points: Untrusted data from previous tool calls is stored in and read from
~/.claude/homunculus/observations.jsonl.\n - Boundary markers: Absent; the agent reads raw logs directly for pattern detection.\n
- Capability inventory: The background agent generates 'instinct' files on the local filesystem that directly influence future agent behavior and automated actions.\n
- Sanitization: None; tool outputs are truncated but not sanitized or escaped to prevent instruction injection.\n- [EXTERNAL_DOWNLOADS]: The
scripts/instinct-cli.pyutility allows for the manual import of behavioral patterns from arbitrary remote URLs using theurllib.request.urlopenfunction.
Recommendations
- AI detected serious security threats
Audit Metadata