Make your AI agent learn and improve automatically. Reviews sessions, extracts learnings, updates memory files, and compounds knowledge over time. Set up nightly review loops that make your agent smarter every day.
Security Analysis
medium confidenceThe skill's instructions ask the agent to read sessions, write/commit memory files, set up cron/launchd jobs, and run external tools, but the package declares no binaries, credentials, or install — these mismatches are concerning and need clarification before installing.
The description promises automatic review of sessions and updating memory/agent files (including committing and pushing). The SKILL.md expects access to session data, a git repo, and binaries like 'clawdbot' and 'npx compound-engineering', but the skill metadata lists no required binaries, env vars, or config paths. Either the skill expects implicit access to the host environment (not declared) or it assumes external tooling is already installed — this is an incoherence.
Runtime instructions direct the agent to "scan all sessions from last 24h", extract sensitive info (preferences, decisions), update MEMORY.md and daily files, and commit/push changes. They also provide cron and launchd setup snippets and suggest writing to user paths (~/clawd, ~/Library/LaunchAgents). The SKILL.md gives the agent broad discretion about where and how to find sessions and how to store/commit extracted content, which could lead to reading arbitrary files or pushing sensitive data to remote repos.
There is no install spec and no code files (instruction-only), which is low-risk in itself. However the Quick Start and examples show commands like 'npx compound-engineering' and reference '/opt/homebrew/bin/clawdbot'. Those commands refer to external packages/tools not provided by the skill; the instructions implicitly depend on them but the skill doesn't declare these dependencies.
The skill declares no required env vars, but the instructions assume the ability to commit and push to git (which requires credentials or stored SSH keys), to run system-level schedulers, and to access file paths for memory and agents. This is a mismatch: the skill asks the agent to perform actions that normally require credentials and file-system permissions without declaring or restricting them.
The skill does not set 'always: true' and does not request autonomous invocation privileges beyond the platform default. Still, it instructs creating persistent cron/launchd jobs and suggests adding hourly snapshots and nightly reviews — effectively persistent behavior on the host. That persistence is not declared in metadata and could have privacy implications if not reviewed by the user.
Guidance
This skill contains only instructions; it does not ship code or declare credentials, but its runtime steps expect access to session logs, a git repo (commit & push), and external binaries like 'clawdbot' and 'npx compound-engineering'. Before installing or enabling it: 1) Confirm where "sessions" live and ensure the agent is allowed to read only the intended data (avoid exposing PII or secrets). 2) Do not allow automatic commits/pushes of memory files to remote repos unless you trust the destination; consider using a private repo, an isolated local repo, or redaction/encryption of sensitive content. 3) Audit and control the cron/launchd snippets — add them manually rather than letting an agent create them, and ensure paths (/opt/homebrew/bin/clawdbot, ~/clawd) exist and are correct. 4) If you need git pushes, create a dedicated deploy key or token with minimal scope and keep it separate from other credentials. 5) Verify the existence and provenance of any external tools referenced by the instructions (npx package, clawdbot) before running them. 6) If you want to proceed safely, run the review/snapshot workflows manually first, inspect the generated memory files for sensitive data, and only later automate with tightly scoped permissions. If the author can provide the missing details (which binaries are required, where sessions are stored, what git remote is used, or an install package), re-evaluate after those are supplied.
Latest Release
v1.0.0
- Initial release of "compound-engineering" for automated agent learning and memory compounding. - Adds commands for reviewing sessions, extracting learnings, and updating memory files. - Supports nightly and hourly review loops via cron or launchd. - Integrates with Clawdbot for automated session analysis and memory updates. - Provides structure for MEMORY.md (long-term) and daily memory snapshots. - Includes setup instructions, best practices, and integration examples.
More by @AmanGarg1999
Published by @AmanGarg1999 on ClawHub
