personality
Pass
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill utilizes extremely strong, imperative language designed to override the agent's core identity for role-playing. While these are intended for character consistency, terms like "MANDATORY", "CRITICAL", "NON-NEGOTIABLE", and instructions to "Ignore default Claude" behavior are patterns identical to those used in adversarial prompt injections to bypass system constraints.
- [COMMAND_EXECUTION]: The skill includes a shell script,
hooks/personality-hook.sh, that executes upon session start. It uses utilities likecatandjqto read configuration files and inject personality context into the agent's environment. - [DATA_EXFILTRATION]: The skill manages state by reading and writing to
~/.claude/personality.json. Accessing hidden configuration files in the user's home directory is a sensitive operation, though here it is limited to storing persona settings. - [PROMPT_INJECTION]: The personality system facilitates indirect prompt injection by dynamically loading instructions from external profile files into the agent's context.
- Ingestion points:
~/.claude/personality.jsonand files within theprofiles/directory (e.g.,profiles/mordecai.md). - Boundary markers: The hook script wraps injected content in
<PERSONALITY_ACTIVE>tags to separate it from other instructions. - Capability inventory: The agent is instructed to read and update local configuration files and is explicitly told to re-read its own profile instructions if a version change is detected.
- Sanitization: The shell hook uses
jq -Rs .to escape content for JSON transmission, but it does not sanitize or validate the actual instruction content. - Evidence: The "VERSION CHECK" protocol in
profiles/mordecai.mdinstructs the agent to "Read the ENTIRE profile file" and "Integrate behavioral changes" dynamically, allowing the agent's behavior to be modified via external file changes.
Audit Metadata