Hooks Automation
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill's configuration pattern interpolates agent tool parameters directly into shell strings (e.g.,
npx claude-flow hook pre-edit --file '${tool.params.file_path}'). This creates a significant command injection surface if a file name or task description contains shell metacharacters like semicolons or backticks. - [COMMAND_EXECUTION]: The skill facilitates the modification of Git hooks (such as
pre-commitandpre-push), which allows for the persistence and automatic execution of scripts during routine version control operations. - [EXTERNAL_DOWNLOADS]: The skill's documentation instructs users to install an external NPM package (
claude-flow@alpha) as a prerequisite for its core functionality. - [DYNAMIC_EXECUTION]: The framework allows for the execution of arbitrary JavaScript files (e.g.,
.claude$hooks$custom-quality-check.js) as "Custom Hooks," which enables the execution of unverified local code based on configuration settings. - [DATA_EXPOSURE]: Documentation examples explicitly mention operating on sensitive files such as
production.env, which could lead to accidental exposure if combined with the skill's "broadcast" notification features. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a clear attack surface for indirect injection:
- Ingestion points: Tool parameters like
file_path,command,task, andpatternare used as inputs inSKILL.mdconfiguration examples. - Boundary markers: Absent; parameters are interpolated directly into shell command strings.
- Capability inventory: The skill can execute shell commands, modify Git hooks, and call MCP tools for memory and agent management.
- Sanitization: There is no evidence of escaping or validation of these parameters before execution.
Audit Metadata