continuous-learning-v2
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill captures session activity (tool inputs and outputs) to a local 'observations.jsonl' file. It mitigates exposure risks by implementing an automated secret-scrubbing regex in 'hooks/observe.sh' that redacts common credential patterns such as API keys and tokens before they are persisted to disk.\n- [EXTERNAL_DOWNLOADS]: The 'instinct-cli.py' utility supports importing behavioral patterns from remote URLs via the import command. The downloaded content is parsed as data and saved to local configuration files, which influences future agent behavior but does not involve direct code execution.\n- [COMMAND_EXECUTION]: The skill interacts with the local system using the git and claude CLIs. All subprocess calls in 'instinct-cli.py' and the associated shell scripts use direct execution with list-based arguments, avoiding shell interpolation and mitigating command injection risks.\n- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as the background observer agent processes data from 'observations.jsonl', which includes untrusted tool outputs from previous sessions.\n
- Ingestion points: 'observations.jsonl' is read by the sub-agent in 'agents/observer-loop.sh'.\n
- Boundary markers: The prompt in 'agents/observer-loop.sh' does not use specific delimiters or instructions to isolate the ingested observation log from the agent's primary instructions.\n
- Capability inventory: The background agent is explicitly permitted to use 'Read' and 'Write' tools to manage local instinct files.\n
- Sanitization: Secret-redaction is performed in 'hooks/observe.sh', but no structural filtering of potential instructions within tool outputs is implemented.
Audit Metadata