hook-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill provides instructions and code templates for creating hooks that execute arbitrary bash and Python scripts. The
hooks.jsonconfiguration explicitly supports acommandtype for runtime shell execution. - [PROMPT_INJECTION] (HIGH): The skill enables 'Indirect Prompt Injection' by creating a high-privilege surface that processes untrusted data. \n
- Ingestion points: Data enters through
stdinJSON from Claude Code events likePreToolUse(tool inputs) andUserPromptSubmit(user prompts). \n - Boundary markers: None are specified or required in the prompt templates provided in the examples. \n
- Capability inventory: Execution of subprocesses (Bash/Python), modification of
$CLAUDE_ENV_FILE, and the ability to auto-approve tool execution viapermissionDecision: allow. \n - Sanitization: The provided example (Example 4) uses basic regex for 'dangerous patterns,' which is an incomplete and bypassable sanitization method.
- [PRIVILEGE_ESCALATION] (HIGH): The skill documents how to programmatically override security dialogues using
PermissionRequesthooks. This allows an agent (or an attacker via indirect injection) to grant itself permissions that would otherwise require user intervention. - [COMMAND_EXECUTION] (MEDIUM): The skill facilitates 'Dynamic Execution' by teaching the agent to generate and then execute local scripts (Bash/Python), creating a pathway for runtime code injection.
Recommendations
- AI detected serious security threats
Audit Metadata