honcho-setup

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local TypeScript file using the bun run command. The script is located at a path determined by the HONCHO_PLUGIN_DIR environment variable or a default location in the user's home directory ($HOME/.honcho/plugins/cursor-honcho/plugins/honcho/src/skills/setup-runner.ts). Running scripts from computed paths is a potential risk if the directory's contents are not fully verified.
  • [CREDENTIALS_UNSAFE]: The skill provides instructions for the user to obtain and store a HONCHO_API_KEY. While it correctly advises storing the key in shell configuration files (~/.zshrc or ~/.bashrc) as an environment variable rather than pasting it into the chat, the skill directly checks for the presence of this sensitive credential using shell commands.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 03:25 PM
Security Audit — agent-trust-hub — honcho-setup