hook-creator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill is designed to create 'command' hooks that execute arbitrary shell scripts or commands on the host system. Example 2 specifically demonstrates executing 'echo', but the framework allows any shell command.
- REMOTE_CODE_EXECUTION (HIGH): By instructing the agent to create and then execute scripts using 'chmod +x' (Step 4), the skill establishes a workflow for arbitrary code execution. If a malicious user or indirect source (e.g., a README in a repository the agent is browsing) triggers this skill, they can gain full shell access.
- Persistence (HIGH): The skill utilizes event hooks like 'SessionStart' and 'PostToolUse'. These are persistence mechanisms that ensure malicious code can run automatically every time a session begins or after any tool is used, making it difficult to detect or remove via standard session clearing.
- PROMPT_INJECTION (HIGH): This skill represents a significant Indirect Prompt Injection surface (Category 8).
- Ingestion points: Processes user/external requests to 'create a hook' or 'configure event hooks'.
- Boundary markers: No boundary markers or instructions to ignore embedded commands in the user-provided hook configurations are present.
- Capability inventory: Includes full shell command execution and filesystem permission modification ('chmod +x').
- Sanitization: Lacks any validation or sanitization of the command strings provided for the hooks.
Recommendations
- AI detected serious security threats
Audit Metadata