Skills
skills/dnyoussef/ai-chrome-extension/Hooks Automation/Gen Agent Trust Hub

Hooks Automation

Fail

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's primary functionality and configuration examples rely on executing shell commands through npx. The documentation promotes using variable interpolation (e.g., '${tool.params.file_path}') directly inside command strings in settings.json. This pattern is highly susceptible to command injection if tool parameters contain shell metacharacters like backticks, semicolons, or pipe symbols.
  • [CREDENTIALS_UNSAFE]: The skill's documentation explicitly includes examples of hooks targeting sensitive files such as 'production.env'. Automating the backup, validation, or processing of environment files increases the risk of credential exposure and accidental exfiltration of secrets, API keys, and private configuration data.
  • [REMOTE_CODE_EXECUTION]: The skill requires the installation of the 'claude-flow' package and utilizes 'npx' to execute hooks at runtime. Executing unversioned or alpha-stage packages directly from the npm registry introduces a dependency on the security and integrity of the external registry and the package maintainer.
  • [DATA_EXFILTRATION]: The hook system implements a 'coordination memory' and broadcast notifications to synchronize state across multiple agents. This infrastructure can be abused to capture sensitive data (such as file contents or environment variables) and move it into shared memory namespaces or external logs without explicit user consent.
  • [PROMPT_INJECTION]: The skill presents a significant surface for indirect prompt injection (Category 8). It ingests untrusted data from file paths, command outputs, task descriptions, and search queries into its automation logic.
  • Ingestion points: Data enters the system through file paths, bash command strings, and task descriptions used in hooks like pre-task and pre-edit (SKILL.md).
  • Boundary markers: There are no documented boundary markers or instructions to the agent to ignore embedded commands within the processed data.
  • Capability inventory: The skill possesses extensive capabilities including shell command execution, file editing, and MCP tool interaction (SKILL.md).
  • Sanitization: No sanitization or validation logic is described for the interpolated data before it is passed to shell environments or tool parameters.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 2, 2026, 07:18 AM