Hook Development
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill provides a framework and documentation for 'Prompt-Based Hooks' which are vulnerable to indirect prompt injection via interpolated tool data.\n
- Ingestion points: Data from tools and users is ingested via variables such as $TOOL_INPUT, $TOOL_RESULT, and $USER_PROMPT (documented in SKILL.md and references/migration.md).\n
- Boundary markers: The provided examples and templates do not utilize delimiters (e.g., XML tags or triple quotes) or specific instructions to isolate the untrusted data from the rest of the prompt logic.\n
- Capability inventory: These hooks have the capability to 'deny' or 'block' agent operations, as seen in references/patterns.md and SKILL.md.\n
- Sanitization: While the skill provides extensive documentation on sanitizing bash commands and paths, it lacks guidance on sanitizing or escaping the content used in prompt-based hooks to prevent instructions within the data from influencing the LLM's decision-making process.\n- [COMMAND_EXECUTION]: The documentation contains implementation examples with potential security vulnerabilities.\n
- Evidence: In references/advanced.md, an example shows raw JSON input $input being directly interpolated into a SQL string for a psql command: psql "$DATABASE_URL" -c "INSERT INTO hook_logs (event, data) VALUES ('PreToolUse', '$input')". This represents a SQL injection vulnerability that could lead to unauthorized database operations if the hook processes malicious tool output.
Audit Metadata