Writing Hookify Rules
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill instructs the agent on how to use a 'Hookify' system that processes local markdown files (
.claude/hookify.*.local.md) and treats their content as authoritative instructions. - Ingestion points: Rules are loaded from the local file system (SKILL.md), potentially coming from untrusted or third-party repositories.
- Boundary markers: There are no specified boundary markers or sanitization requirements for the 'Message' section of the rules; the agent is simply shown the content when a pattern matches.
- Capability inventory: Rules can trigger on critical events including
bashtool use,fileedits, and userprompts, with the capability toblockoperations orwarn(inject text). - Sanitization: The documentation lacks any mention of sanitizing rule content or validating the source of the
.local.mdfiles. - [PERSISTENCE] (MEDIUM): The skill facilitates the creation of behavioral hooks stored in a hidden directory (
.claude/) that persist across sessions. This allows for long-term behavioral manipulation within a project workspace if a malicious rule is introduced.
Recommendations
- AI detected serious security threats
Audit Metadata