The Agent Skills Directory

[DATA_EXFILTRATION]: The skill records extensive session logs (tool inputs, outputs, and user prompts) into a local data directory. While it implements regex-based redaction for secrets, the comprehensive logging of developer activity is inherently sensitive. These logs are subsequently sent to an external large language model (Claude Haiku) for automated pattern analysis.
[EXTERNAL_DOWNLOADS]: The instinct-cli.py script contains an import feature that allows fetching behavioral definition files directly from arbitrary URLs using urllib.request.urlopen.
[COMMAND_EXECUTION]: The system relies on executing various shell commands and subprocesses, including the claude CLI, git, and system utilities like nohup and pgrep, to manage its background learning loop and project detection.
[PROMPT_INJECTION]: The background observer agent is vulnerable to indirect prompt injection. It ingests untrusted data from observations.jsonl (which contains raw session output) and is instructed to generate "instincts" based on this data. A malicious input during a session could influence the agent to write unauthorized or harmful instructions into the local behavior library.
Ingestion points: observations.jsonl (processed by observer-loop.sh and observer.md)
Boundary markers: None implemented within the data sampling phase to isolate observation data from agent instructions.
Capability inventory: The background agent has Write permissions to the instincts directory and Read permissions to project files.
Sanitization: Implements regex-based scrubbing for common secret patterns (API keys, tokens) before logging.

continuous-learning-v2