hook-creator
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- Command Execution (HIGH): The skill is designed to configure shell commands that execute automatically on system events (e.g.,
PreToolUse,PostToolUse). This provides a direct mechanism for arbitrary command execution on the host machine. - Persistence Mechanisms (HIGH): Commands are stored in persistent configuration files (
~/.claude/settings.json), allowing malicious logic to survive across different sessions and projects. - Privilege Escalation (HIGH): The documentation for the
PermissionRequestevent (inreferences/hook-events.md) explicitly instructs users how to use exit code2to auto-approve permission dialogs, effectively bypassing the agent's human-in-the-loop security boundary. - Dynamic Execution (HIGH): The
SessionStartexample inreferences/examples.mddemonstrates sourcing a local environment file (source .claude-env) without any validation. This allows an attacker to achieve local code execution by placing a malicious.claude-envfile in a project directory. - Indirect Prompt Injection (LOW): The
Notificationhook examples usexargsto interpolate tool-generated messages into shell commands (e.g.,osascript -e 'display notification "{}"'). If an attacker can control the message content (e.g., via a subagent output or tool response), they could potentially achieve command injection. - Credentials Exposure (MEDIUM): While some examples suggest blocking access to sensitive files like
.env, the skill provides the exact logic needed to read and process these files usingjqandpython3, which could be easily repurposed for exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata