claude-hooks
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill provides templates and instructions for modifying the
~/.claude/settings.jsonconfiguration file to define arbitrary shell commands under thehookskey. These commands execute automatically when specific tools are used or events occur, creating a persistent execution mechanism. - [REMOTE_CODE_EXECUTION] (HIGH): The provided templates promote unsafe shell interpolation of environment variables. Specifically, the notification example uses
$CLAUDE_MESSAGEinside anosascriptcall, and the logging example suggests using tool outputs. Since these variables contain untrusted data generated by the LLM or external sources, an attacker could trigger command injection. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill exposes a significant attack surface by ingesting untrusted data (tool inputs/outputs) and feeding them directly into executable shell contexts.
- Ingestion points:
references/claude-hook.template.mdidentifies$CLAUDE_TOOL_INPUT,$CLAUDE_TOOL_OUTPUT, and$CLAUDE_MESSAGEas data sources. - Boundary markers: None present in the templates to separate data from commands.
- Capability inventory: The
type: commandhook allows for arbitrary subprocess execution. - Sanitization: No sanitization or escaping is mentioned or implemented in the examples, leading to high-risk command injection patterns.
Recommendations
- AI detected serious security threats
Audit Metadata