The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill implements a summarization pipeline that processes untrusted external data from tool outputs. This creates a significant injection surface.
Ingestion points: sys.stdin in pre_tool.py and post_tool.py reads JSON data representing tool inputs and outputs.
Boundary markers: Absent. Data is directly interpolated into an f-string prompt in the summarize_event function without delimiters.
Capability inventory: Hook scripts possess network broadcast capabilities and the ability to trigger LLM completions (claude.complete).
Sanitization: None present. The only protection is simple truncation ([:500]), which does not prevent adversarial instructions from influencing the haiku model.
Data Exposure & Exfiltration (MEDIUM): The EventBroadcaster and broadcast functions facilitate sending raw tool payloads to external WebSocket clients. The architecture lacks any mechanism to filter or mask sensitive data (such as environment variables or credentials) that might appear in tool outputs before they are transmitted externally.
Command Execution (MEDIUM): The hooks.json configuration pattern explicitly executes shell commands (python hooks/pre_tool.py) triggered by agent events. This provides a direct path for persistent command execution if an attacker can influence the hook configuration or the script contents.
Metadata Poisoning (LOW): The skill references a non-existent model version (claude-opus-4-5-20251101) in its metadata. While likely a placeholder or hallucination, misleading metadata can be used to misrepresent the skill's provenance or safety status.

hook-event-architecture