Skills
skills/ingpoc/skills/project-hook-setup/Gen Agent Trust Hub

project-hook-setup

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • COMMAND_EXECUTION (CRITICAL): The hook script templates/verify-health.py executes a health_check string read from .claude/config/project.json using subprocess.run(shell=True). Additionally, templates/session-entry.sh uses eval to execute the same configuration value, providing multiple paths for arbitrary shell injection.
  • REMOTE_CODE_EXECUTION (HIGH): The skill implements an 'Indirect Prompt Injection' surface (Category 8). By processing instructions (commands) from a file within the workspace and executing them during PreToolUse lifecycle events, it allows a malicious repository to gain full control over the agent's execution environment. Ingestion point: .claude/config/project.json. Boundary markers: None. Capability inventory: subprocess.run(shell=True), eval. Sanitization: None.
  • COMMAND_EXECUTION (HIGH): templates/verify-tests.py executes a test_command from the configuration file via subprocess.run, which can be exploited if the command string contains malicious arguments.
  • PROMPT_INJECTION (LOW): The skill documentation suggests it is integrated into an automated INIT state by an initializer skill, which could be used to force the installation of these vulnerable hooks without explicit user consent in a new project.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 07:47 AM