continuous-learning
Warn
Audited by Gen Agent Trust Hub on May 22, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill is designed to dynamically generate and save new instruction files to
.claude/skills/or~/.claude/skills/using theWriteandEdittools. These files are subsequentely loaded as executable skills by the platform, representing a form of dynamic code/instruction generation. - [EXTERNAL_DOWNLOADS]: The instruction set mandates the use of
WebSearchandWebFetchto gather information for the new skills. While it suggests seeking official documentation, it effectively ingests untrusted content from the internet to populate executable instruction files. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection.
- Ingestion points: Untrusted data enters the agent context through
WebFetchandWebSearchresults (SKILL.md Step 2). - Boundary markers: The skill lacks explicit delimiters or structural guards when interpolating fetched web content into the 'Solution' or 'Notes' sections of the newly created skills.
- Capability inventory: The skill has access to powerful tools including
Write,Edit,WebSearch,WebFetch, and theSkilltool itself, allowing it to modify the agent's future behavior. - Sanitization: While 'Quality Gates' mention checking for sensitive info, they do not provide technical sanitization to prevent adversarial instructions in fetched web data from being interpreted by the agent during the extraction process.
- [COMMAND_EXECUTION]: The skill documentation includes an 'Extraction Process' that encourages the creation of supporting scripts in a
scripts/subdirectory. If the extraction process is compromised via indirect injection, the agent could be tricked into writing and potentially executing malicious shell scripts.
Audit Metadata