git-hooks-setup
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script in
references/pre-commit-hook-nodejs.mdis susceptible to command injection via malicious filenames in the git repository.\n - Ingestion points: Filenames are collected from
git diff --cached --name-onlyinreferences/pre-commit-hook-nodejs.md.\n - Boundary markers: No boundary markers or 'ignore' instructions are provided to the execution environment to prevent the interpretation of filenames as shell commands.\n
- Capability inventory: The script uses
child_process.execSyncto runeslintandprettieron the gathered filenames, allowing for command execution.\n - Sanitization: The script filters by file extension but fails to quote or escape the filename strings before interpolation into the shell command string.\n- [EXTERNAL_DOWNLOADS]: The skill guides the user to install dependencies from the npm registry and download hooks from external GitHub repositories.\n
- Evidence: The skill uses
npm installforhuskyand references repositories from well-known organizations includingpsf,PyCQA, andYelpin the.pre-commit-config.yamltemplate.
Audit Metadata