creating-hooks

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The document itself is a legitimate configuration and how-to guide for adding deterministic lifecycle hooks to Claude Code. It is internally consistent with its stated purpose. However, the feature grants the ability to run arbitrary shell commands (including runtime package fetches via npx), read/write files, and inject outputs into agent context — all of which are high-value sinks for credential theft or code-execution supply-chain attacks. There is no malicious code embedded here, but the mechanism is a high-risk capability and should be treated accordingly (audit hook definitions, avoid untrusted hooks or runtime installs). LLM verification: This SKILL.md is documentation for a hook system and is not itself malicious. It correctly documents inputs and the powerful capability to run shell commands. The main security concern is legitimate: hooks allow arbitrary command execution, so repositories that include project-level hook configs (.claude/settings.json) can become an attack vector in supply-chain scenarios. The examples show shell pipelines that could be unsafe if tool_input or settings are attacker-controlled and not sanitized.

The document itself is not malware, but it documents a powerful feature that executes arbitrary user-supplied shell commands and agent logic at runtime. This capability can be abused for supply-chain attacks (credential harvesting, persistent logging of sensitive commands, network exfiltration, or running arbitrary processes) if hooks or settings files are malicious or unreviewed. Treat .claude settings and hook scripts as high-privilege: review before use, avoid committing network-capable or logging hooks to shared repos, and prefer restrictive, signed, or organization-managed hook policies.