vscode-claude-notify
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill configures VSCode
hooksinsettings.jsonto automatically execute local scripts (notify-wsl.sh,notify-mac.sh,notify-windows.ps1) when tasks complete or fail. - [COMMAND_EXECUTION]: The configuration provided in
references/hooks-config.mdutilizes the-ExecutionPolicy Bypassflag for PowerShell. This bypasses system-level restrictions designed to prevent the execution of untrusted scripts. - [PROMPT_INJECTION]: The bundled notification scripts are susceptible to indirect prompt injection through shell command injection vulnerabilities.
- Ingestion points: The scripts accept arguments for the notification title and message, which are intended to be populated by the agent's context during hook execution.
- Boundary markers: No boundary markers or delimiters are used to isolate untrusted content in the hook configuration.
- Capability inventory: The scripts execute system-level utilities including
osascripton macOS andpowershell.exeon Windows/WSL to display notifications. - Sanitization: The scripts lack input sanitization. In
scripts/notify-mac.sh, the message variable is interpolated directly into anosascriptcommand string inside double quotes. Similarly,scripts/notify-wsl.shinterpolates variables into a PowerShell command string inside single quotes. An attacker could potentially execute arbitrary commands by including escape characters (like quotes or backticks) in the notification text.
Audit Metadata