The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill encourages the use of 'Prompt Hooks' to validate the safety of bash commands and code changes.
Ingestion Points: Untrusted data (tool inputs, outputs, and session transcripts) is ingested via the $ARGUMENTS placeholder in references/command-vs-prompt.md and references/hook-types.md.
Boundary Markers: Examples lack delimiters (e.g., XML tags or triple quotes) around $ARGUMENTS to separate instructions from data.
Capability Inventory: These hooks have the power to 'block' or 'approve' shell execution and can modify tool_input (e.g., changing command flags) via the updatedInput field.
Sanitization: No guidance is provided on sanitizing the contents of $ARGUMENTS to prevent embedded instructions from overriding the hook's logic.
Command Execution (MEDIUM): The core functionality of the skill is to facilitate the execution of arbitrary shell commands through the hook system.
Evidence: Examples in SKILL.md and references/hook-types.md demonstrate executing jq, prettier, osascript, and cp based on agent events.
Risk: While this is a feature of the target environment, the skill provides patterns for logging session data and command history to local files (~/.claude/bash-log.txt), which could lead to local data exposure if those files are accessible to other processes.
Persistence Mechanisms (LOW/INFO): Configuring hooks in ~/.claude/hooks.json establishes a persistent execution path that triggers on every session and tool use. This is the intended use of the feature, but it is a mechanism for maintaining a presence within the agent's runtime environment.

create-hooks