crush
Pass
Audited by Gen Agent Trust Hub on May 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: No malicious patterns, obfuscation, or unauthorized access attempts were identified. The skill operates within its described scope using local files and tools.
- [COMMAND_EXECUTION]: The skill executes a local utility script at
${CLAUDE_PLUGIN_ROOT}/scripts/honneto check for the existence of required persona files. This is a standard use of project-specific tooling. - [PROMPT_INJECTION]: The skill ingests user-defined content from local files to guide the AI's persona behavior, creating a surface for indirect prompt injection.
- Ingestion points: Step 3 reads content from
.honne/personas/antipattern.md,.honne/personas/signature.md, and.honne/personas/judge.md. - Boundary markers: None; the content is mentally applied as system instructions for the duration of the debate rounds.
- Capability inventory: The skill can execute the local
honnescript and read local files. - Sanitization: No sanitization or escaping is performed on the ingested persona content.
Audit Metadata