The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. The background observer agent (agents/start-observer.sh) reads session logs containing raw tool outputs and passes them to an LLM to generate 'instincts'. Malicious instructions embedded in files read or processed during a session could influence this automated learning process.
Ingestion points: Session logs at ~/.claude/homunculus/projects/<hash>/observations.jsonl are read by the observer agent.
Boundary markers: The agent prompt uses format specifications and rules (e.g., 'Never include actual code snippets') as weak boundaries, but lacks robust delimiters for untrusted data.
Capability inventory: The system can write YAML and Markdown files to the local filesystem and trigger the claude CLI.
Sanitization: Data is truncated to 5000 characters in hooks/observe.sh, but no content-based sanitization or instruction filtering is performed.
[EXTERNAL_DOWNLOADS]: The scripts/instinct-cli.py utility provides an import command that can fetch content from any user-provided URL using urllib.request. While intended for sharing patterns, this allows the introduction of external data into the agent's internal knowledge base.
[COMMAND_EXECUTION]: The skill frequently executes local subprocesses including git for repository detection and the claude CLI for background analysis. These operations are essential to the skill's stated purpose of continuous learning.

continuous-learning-v2