The Agent Skills Directory

[PROMPT_INJECTION]: The skill loads content from local files (.honne/personas/antipattern.md, .honne/personas/signature.md, and .honne/personas/judge.md) and instructs the agent to "apply [the] system prompt mentally." This creates a surface for indirect prompt injection where malicious instructions in these files could influence agent behavior.
Ingestion points: SKILL.md (and language variants) reads from the .honne/personas/ directory.
Boundary markers: Absent. No delimiters or warnings are provided to the agent to ignore potentially malicious instructions inside the persona files.
Capability inventory: The skill can execute shell commands via bash and read arbitrary content from specified local paths.
Sanitization: Absent. The skill does not validate or sanitize the "system prompts" extracted from the persona files before applying them.
[COMMAND_EXECUTION]: The skill executes shell commands using bash in Step 2 to verify the existence of persona files via a local script path: bash "${CLAUDE_PLUGIN_ROOT}/scripts/honne" persona check.

crush