hook-development
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The
scripts/test-hook.shutility executes local shell scripts provided as arguments. While this involves dynamic execution (bash -c), it is the primary intended function of the script (a test runner for developer-authored hooks) and does not involve remote code or untrusted inputs. - [DATA_EXFILTRATION] (SAFE): The
examples/load-context.shscript reads local file metadata (existence ofpackage.json,Cargo.toml, etc.) to determine project type and exports environment variables to the project's environment file. This is a standard and documented use of Claude Code SessionStart hooks. - [PROMPT_INJECTION] (SAFE): The skill documentation (
references/migration.mdandreferences/patterns.md) contains natural language prompts intended for use in 'prompt-type' hooks. These prompts are specifically designed to increase security by instructing the LLM to detect and block destructive operations or credential exposure. - [BEST_PRACTICES] (SAFE): The
scripts/hook-linter.shandscripts/validate-hook-schema.shscripts enforce security best practices, such as variable quoting (to prevent shell injection), path validation, and timeout constraints.
Audit Metadata