claude-monitor
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads multiple shell scripts and a Swift source file from the author's GitHub repository (wangjs-jacky/jacky-claude-monitor). It also recommends installation via an NPM package (@wangjs-jacky/claude-monitor) using npx.
- [REMOTE_CODE_EXECUTION]: The installation process involves fetching a remote Swift file (main.swift) and compiling it into an executable (claude-float-window) on the local machine using the swiftc compiler.
- [COMMAND_EXECUTION]: The skill instructs the user to modify the sensitive ~/.claude/settings.json configuration file to include command hooks. These hooks trigger the execution of shell scripts (downloaded from the author's repository) whenever specific events occur in Claude Code, such as tool usage, session starts, or user prompt submissions.
- [PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface because it ingests untrusted data from the Claude Code agent session events to update notifications and its local dashboard.
- Ingestion points: Hook scripts (e.g., prompt-submit.sh, tool-end.sh) receive context from the Claude Code agent session.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are specified in the hook configurations.
- Capability inventory: The system executes shell scripts and manages a local daemon with networking capabilities (port 17530).
- Sanitization: The instructions do not mention sanitization or validation of the session data before it is processed by the shell hooks.
Audit Metadata