claude-hooks

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This document describes a powerful hook system that legitimately supports automation but also enables multiple high-risk patterns: arbitrary shell execution on many event types, unpinned package installs during onInstall, and examples of sending data to external endpoints. The functionality aligns with the stated purpose, but the breadth of capabilities is disproportionate to safe defaults. If allowed without strong runtime controls (sandboxing, strict allowlists, mandatory validation, disallowing network/installer operations by default), these hooks can be abused for credential harvesting, data exfiltration, or supply-chain compromise. Recommended mitigation: enforce least privilege for hooks, disallow network/install actions by default or require explicit signing/pinning, sanitize injected variables, and provide clearer runtime constraints in the implementation. LLM verification: This skill is a documentation/templating framework for executing shell hooks on agent/plugin events. The functionality is consistent with its stated purpose, but it inherently allows execution of arbitrary shell commands, network calls, and third-party installs using substituted variables (including raw prompts and file contents). That capability is proportionate only when strictly controlled; in general it presents a moderate-to-high supply-chain and data-exfiltration risk because hooks can (an