Learning Loop
ReviewAudited by ClawScan on May 10, 2026.
Overview
Learning Loop is mostly a disclosed local memory system, but one report script has an unsafe path-to-code pattern and the skill intentionally creates persistent, shareable behavior rules.
Use this only in trusted workspaces, review the persistent memory files it creates, and avoid sharing exports without checking them for local path or identity metadata. Before relying on the weekly pattern report, patch or avoid the detect-patterns.sh inline Python path handling issue.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running pattern detection in a maliciously named or attacker-controlled workspace could execute unintended local code under the user's account.
The workspace path is user-supplied and is later embedded directly into Python source code instead of being passed as an argument. A crafted path containing quote/parenthesis characters could change the Python code that runs.
WORKSPACE="${1:-$(pwd)}" ... RULES_FILE="$LEARNING_DIR/rules.json" ... RULE_COUNT=$(python3 -c "import json; print(len(json.load(open('$RULES_FILE')).get('rules',[])))"Change the inline python3 -c calls to pass file paths through argv, as the other heredoc-based Python calls do, and avoid running this script in untrusted or oddly named directories until fixed.
Private feedback or incorrect lessons may be retained and reused later unless the user reviews and edits the memory files.
The skill intentionally stores persistent logs and turns learned items into future boot-loaded behavioral rules, so bad or sensitive entries can persist across sessions and influence later agent behavior.
Tier 1: Events - Raw logs of debugging sessions, mistakes, successes, feedback. Append-only, never deleted. ... Tier 3: Rules ... Loaded at boot. These are your behavioral constraints.
Review events.jsonl, lessons.json, and rules.json periodically; remove sensitive or incorrect entries; and only enable persistent memory in workspaces where that retention is acceptable.
A shared rule export may disclose local environment metadata in addition to the intended rules.
Rule exports for cross-agent sharing include the local agent handle and source workspace path. This supports provenance, but it can reveal local usernames, directory names, or project names when shared.
"agent_handle": agent_handle, ... "source_workspace": rules_path.replace("/memory/learning/rules.json", "")Inspect and redact exported JSON before sharing it with other agents or users, and import rules only from sources you trust.
If scheduled jobs are enabled, learning files and rule confidence can change over time without a direct prompt each time.
The skill describes recurring background-style automation. This is disclosed and aligned with the learning-loop purpose, but it means the system can keep modifying memory/rules after initial setup.
Heartbeat checks periodically scan for missed learning opportunities; Daily cron extracts events from session logs; Weekly cron runs pattern detection, metrics, confidence decay, and self-audit
Enable cron or heartbeat workflows only if you want ongoing background maintenance, and keep the generated memory directory under version control or regular review.