Skills
skills/jazz1x/honne/lexi/Gen Agent Trust Hub

lexi

Warn

Audited by Gen Agent Trust Hub on Apr 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local script via bash and interpolates variables directly into the command line.
  • Evidence: In SKILL.md (and its localized versions), the instruction bash "${CLAUDE_PLUGIN_ROOT}/scripts/honne" record claim --base-dir ".honne" --type claim --axis lexicon --scope "$SCOPE" --text "$claim" interpolates the variable $claim.
  • Risk: The $claim variable is sourced from user input during the 'edit' phase of the HITL (Human-In-The-Loop) process. If a user provides input containing shell control characters (such as semicolons, backticks, or pipe symbols), it could result in the execution of unintended commands on the host system.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 29, 2026, 02:41 PM