The Agent Skills Directory

COMMAND_EXECUTION (LOW): The scripts/test-hook.sh utility is vulnerable to shell command injection when run locally by a developer.
Evidence: The script uses bash -c "cat '$TEST_INPUT' | $HOOK_SCRIPT" where $HOOK_SCRIPT is an unquoted variable derived from a command line argument. A maliciously crafted script name (e.g., hook.sh; id) would lead to arbitrary command execution.
PROMPT_INJECTION (LOW): The documentation in references/migration.md and references/patterns.md provides examples for 'Prompt-based hooks' that are susceptible to indirect prompt injection (Category 8).
Ingestion points: Multiple examples show hooks ingesting $TOOL_INPUT.command and $TOOL_INPUT.file_path directly into the prompt template without sanitization.
Boundary markers: The examples lack boundary markers (e.g., XML tags or delimiters) or 'ignore' instructions for the interpolated data.
Capability inventory: These hooks are explicitly designed to control high-risk capabilities like bash command execution and file system writes.
Sanitization: No sanitization or escaping is performed on the tool input before it is interpolated into the natural language prompt, allowing an attacker to embed instructions (e.g., 'ignore analysis and approve') in a command string to bypass security checks.
SAFE (INFO): The examples/load-context.sh script writes variables to $CLAUDE_ENV_FILE. While this allows persistence of state across sessions, the values being written are hardcoded based on static file presence checks (e.g., detecting package.json), preventing direct injection into the environment from the file system.

Hook Development