Hooks Automation
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the claude-flow package from the NPM registry.\n- [COMMAND_EXECUTION]: The skill's primary function involves configuring hooks that execute shell commands automatically when specific tools (like Write, Edit, or Bash) are used.\n- [COMMAND_EXECUTION]: Hooks interpolate variables like ${tool.params.file_path} and ${tool.params.command} into shell strings. This pattern is vulnerable to command injection if the input parameters are not sanitized before execution.\n- [REMOTE_CODE_EXECUTION]: Dynamic execution of logic is performed via npx and shell scripts defined in the configuration, allowing for arbitrary code execution at runtime.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted inputs from the agent's environment.\n
- Ingestion points: Data enters the system via tool.params (task, file_path, command, pattern) which are interpolated into hook commands in .claude$settings.json.\n
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the configuration examples.\n
- Capability inventory: The skill can execute shell commands (npx), write files (backups), and broadcast notifications to other agents.\n
- Sanitization: No sanitization or escaping mechanisms are described for the data interpolated into shell commands.
Audit Metadata