research-writing-assistant

SUSPICIOUS: the skill is not overtly malicious and shows no direct credential theft or exfiltration, but its actual footprint is broader than a simple writing helper because it mandates transitive loading of many unspecified skills. The main risk is indirect trust expansion and unverified downstream behavior, not confirmed malware.

The code enables running an external local script at session start, which is a legitimate extensibility mechanism but introduces supply-chain and runtime risk. Without integrity verification, signing, or isolation, the script can become a backdoor or attack surface if tampered or replaced. Implement safeguards to mitigate risk in trusted environments.

The hook mechanism is legitimate for extensibility but presents a non-trivial startup-time execution risk: if CLAUDE_PLUGIN_ROOT is tainted or if run-hook.cmd is malicious, arbitrary code could run at session start. Recommendations include restricting CLAUDE_PLUGIN_ROOT to trusted locations, implementing integrity verification (signatures, hashes) for run-hook.cmd, enabling least-privilege execution, adding auditing/logging of executed commands, and isolating the script execution (sandbox or container) where feasible.