compound-learnings
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Persistence Mechanisms (HIGH): The skill creates permanent hooks in
.claude/settings.jsonand executable shell scripts in.claude/hooks/. These are configured to run automatically on system events likeSessionEnd, creating a persistent execution vector for generated code. - Dynamic Execution (HIGH): The skill writes shell scripts (
.sh) to the filesystem and useschmod +xto grant execution permissions. It also defines a workflow for compiling TypeScript into JavaScript and executing it vianode, effectively allowing the agent to write and run its own software. - Indirect Prompt Injection (LOW):
- Ingestion points: Reads untrusted session history and 'learnings' files from
.claude/cache/learnings/*.md. - Boundary markers: Absent. The skill extracts content from markdown headers and table sections without using delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill possesses the
Bash,Write, andEdittools, allowing it to modify core configuration files and create new executable scripts. - Sanitization: Absent. There is no validation or sanitization of the 'learned' patterns before they are written into system-level rules or executable hooks.
- Command Execution (MEDIUM): Uses
Bashto perform filesystem management and script creation. The use ofchmodon dynamically generated content is a high-risk pattern.
Recommendations
- AI detected serious security threats
Audit Metadata