The Agent Skills Directory

Command Execution (LOW): The utility script scripts/test-hook.sh contains a command injection vulnerability. It uses unsafe variable interpolation by embedding the $HOOK_SCRIPT variable directly into a bash -c command string. If a developer uses a filename containing shell metacharacters (e.g., semicolons), it could result in the execution of arbitrary commands. This violates the security best practices that the skill's own hook-linter.sh script is designed to detect.\n- Indirect Prompt Injection (LOW): The provided example hooks (examples/validate-bash.sh, examples/validate-write.sh, and examples/load-context.sh) are designed to process untrusted data from agent tool inputs. Although these specific scripts implement validation logic, they represent a surface for indirect prompt injection attacks.\n
Ingestion points: Untrusted tool input read via stdin in validate-bash.sh and validate-write.sh.\n
Boundary markers: Not present; the scripts rely on logical parsing rather than explicit LLM delimiters.\n
Capability inventory: The hooks have the capability to approve or deny agent actions, access the file system, and modify environment variables via $CLAUDE_ENV_FILE.\n
Sanitization: The examples use jq for JSON parsing and regular expressions to filter for common attack patterns like rm -rf and path traversal (..).

Hook Development