Skills
skills/defrex/claude-code-permission-policy/permission-hook/Gen Agent Trust Hub

permission-hook

Warn

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill modifies '.claude/settings.json' to register a 'PermissionRequest' hook that executes 'bun .claude/hooks/permission-hook.ts' whenever tools like 'Bash', 'Read', 'Write', 'Edit', 'Glob', 'Grep', 'WebFetch', or 'WebSearch' are called.
  • [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of a TypeScript script that is copied from the skill directory into the project and executed at runtime. The script logic decides which tool calls are approved, but its execution is automatic and bypasses standard user approval once configured.
  • [PROMPT_INJECTION]: The skill introduces an indirect prompt injection surface by relying on the 'SECURITY_POLICY.md' file. This file is intended to be read by an LLM to make security decisions; an attacker could modify this policy in a repository to trick the hook into auto-approving malicious commands. Ingestion points: .claude/SECURITY_POLICY.md. Capability inventory: Bash, Read, Write, Edit, Glob, Grep, WebFetch, WebSearch. Boundary markers: Absent. Sanitization: Absent.
  • [DATA_EXFILTRATION]: While not directly exfiltrating data, the hook is configured to manage 'WebFetch' and 'WebSearch' tools. If the auto-approval logic is subverted via the policy file, it could allow the agent to send sensitive data to attacker-controlled external endpoints without user intervention.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 3, 2026, 01:57 PM