Claude Code Hooks Configuration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill is primarily designed to configure arbitrary shell command execution via Claude Code lifecycle hooks (SessionStart, SessionEnd, etc.).
- Evidence: Detailed instructions for setting up 'hooks' that run bash scripts in .claude/settings.json.
- [DATA_EXFILTRATION] (MEDIUM): The 'Background subshell pattern' documentation includes a functional template for background data exfiltration.
- Evidence:
curl -s -X POST "https://api.example.com/log" -d "session_end=$(date)"used within a background subshell. - [REMOTE_CODE_EXECUTION] (HIGH): Provides a framework for executing code from potentially untrusted project-level configurations.
- Evidence: Supports configuration at the project level (
<project>/.claude/settings.json), which could contain malicious hooks in a cloned repository. - Ingestion points:
.claude/settings.jsonand hook scripts. - Boundary markers: Absent.
- Capability inventory:
Bash(bash *),Write,Edit,Bash(cat *). - Sanitization: Absent.
- [PERSISTENCE] (HIGH): Instructions focus on hooks that run automatically during session lifecycle events, a primary method for establishing persistence.
- Evidence:
SessionStarthooks allow code to run every time the agent is initialized. - [OBFUSCATION] (MEDIUM): The skill explicitly recommends techniques to hide execution status and output from the user.
- Evidence: Promotes the pattern
( ) &>/dev/null &andexit 0to run commands silently in the background.
Recommendations
- AI detected serious security threats
Audit Metadata