The Agent Skills Directory

[COMMAND_EXECUTION]: The hooks/observe.sh script contains a severe injection vulnerability. It passes raw JSON data into a Python interpreter using an unquoted bash heredoc (data = json.loads('''$INPUT_JSON''')). This allows any tool output containing triple single quotes to break out of the string literal and execute arbitrary Python code on the host system.\n- [DATA_EXFILTRATION]: The skill captures and logs all tool inputs and outputs—including sensitive data from Read, Bash, and Edit calls—to a local file (~/.claude/homunculus/observations.jsonl). This creates a persistent and unencrypted cache of potentially sensitive information like credentials, API keys, and private source code.\n- [EXTERNAL_DOWNLOADS]: The scripts/instinct-cli.py utility includes an import feature that fetches content from arbitrary user-provided URLs. This content is then used to define the agent's behavioral 'instincts', providing a vector for external instruction injection.\n- [REMOTE_CODE_EXECUTION]: The skill implements a background agent loop via agents/start-observer.sh that automatically analyzes session logs to generate new behavioral instructions. This automated code/instruction generation process based on untrusted session data represents a high-risk execution pattern.\n- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. Because the background observer agent processes logs containing untrusted data from the user's environment, an attacker could embed malicious instructions in a file or command output to manipulate the agent into creating harmful behavioral 'instincts'.\n- [COMMAND_EXECUTION]: The skill's installation instructions direct the user to modify the agent's global configuration (~/.claude/settings.json) to execute its scripts as hooks, establishing persistent execution within the agent's operational lifecycle.

continuous-learning-v2