The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): Shell injection vulnerability in the testing utility script.\n
Evidence: In scripts/test-hook.sh (Line 196), the script executes bash -c "cat '$TEST_INPUT' | $HOOK_SCRIPT". The variables $TEST_INPUT and $HOOK_SCRIPT are interpolated directly into the shell command string without proper escaping. An attacker who can influence the filenames (e.g., via a malicious project structure or user-provided path) can execute arbitrary commands when this utility is run.\n- [PROMPT_INJECTION] (HIGH): The example validation hooks are vulnerable to indirect prompt injection due to high-privilege capabilities and brittle sanitization.\n
Ingestion points: examples/validate-bash.sh and examples/validate-write.sh read tool input (external content) from stdin.\n
Boundary markers: None. The scripts process raw JSON inputs with no delimiters or instructions to ignore embedded commands.\n
Capability inventory: These scripts return a permissionDecision, which directly controls whether the agent is allowed to execute dangerous tools like Bash or Write (execute/write capability tier).\n
Sanitization: The scripts use brittle substring matching (e.g., [[ "$command" == *"rm -rf"* ]]). Attackers can easily bypass these checks using shell aliases, command variations (rm -r -f), or path normalization tricks, allowing unauthorized execution of destructive commands.\n- [DATA_EXFILTRATION] (LOW): The skill utilizes session-persistent environment storage.\n
Evidence: examples/load-context.sh appends data to $CLAUDE_ENV_FILE. While this is a standard feature of the hook environment, it provides a mechanism for persisting state or potential configuration overrides across the entire agent session.

hook-development