project-hooks
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill is designed to execute arbitrary shell scripts stored in
.claude/hooks/. This allows for local code execution on the user's system whenever specific agent actions (like tool usage or prompt submission) occur. While this is the primary functionality of the skill, it creates a significant attack surface if a malicious project or user places executable scripts in the project directory. Finding severity is reduced from HIGH to MEDIUM as it is the primary stated purpose of the skill. - INDIRECT_PROMPT_INJECTION (LOW): The hook system processes untrusted data such as tool inputs and user prompts as JSON on stdin. Template 2 provides a naive security filter for blocking dangerous commands using
grep, which can be easily bypassed using various shell techniques, potentially leading to a false sense of security for the user. - Ingestion points: stdin of hook scripts (e.g.,
.claude/hooks/block-dangerous.sh) receives JSON metadata from the agent context. - Boundary markers: No specific boundary markers or 'ignore' instructions are used when passing agent data to the scripts.
- Capability inventory: Full subprocess execution capability, file system access via shell scripts, and execution of package managers.
- Sanitization: Minimal and bypassable regex-based filtering in the example templates.
- REMOTE_CODE_EXECUTION (LOW): Templates 1 and 5 utilize
npxandnpm test. These commands can trigger the download and execution of remote code from the npm registry. While these are trusted standard tools, their use within an automated hook increases the risk of executing untrusted code in a compromised environment.
Audit Metadata