continuous-learning
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires manual configuration of a shell script (
evaluate-session.sh) as a 'Stop' hook, which runs automatically at the conclusion of every session. - [DATA_EXFILTRATION]: The shell script reads the sensitive
CLAUDE_TRANSCRIPT_PATHenvironment variable to access the full log of user and tool interactions from the session. - [REMOTE_CODE_EXECUTION]: The skill performs dynamic code generation by automatically saving extracted session patterns as new executable skill files in the
~/.claude/skills/learned/directory. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted session transcripts to generate new system behaviors.
- Ingestion points: The session transcript (
CLAUDE_TRANSCRIPT_PATH) serves as the input source for untrusted data containing user prompts and tool responses. - Boundary markers: No explicit delimiters are used to isolate the session transcript content during the pattern extraction process, which may lead the agent to follow instructions embedded in the transcript.
- Capability inventory: The system enables writing and persisting new executable skills to the agent's local environment, which are automatically loaded in future sessions.
- Sanitization: Although a configuration option for
auto_approveexists, there is no technical enforcement or validation logic shown to prevent the persistence of malicious instructions if the agent is directed to save them.
Audit Metadata