hooks-automation
Warn
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill establishes a system-wide hook architecture that triggers shell commands (
npx claude-flow) for nearly every core agent activity, including file editing, bash command execution, and task initialization. This creates a significant execution surface where the agent's actions automatically trigger secondary shell processes. - [REMOTE_CODE_EXECUTION]: The configuration supports the execution of custom JavaScript files (e.g.,
.claude/hooks/custom-quality-check.js) using ascripthook type. This allows the skill to load and execute arbitrary code stored in the local project directory during standard agent operations. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from tool parameters (such as
task,command, andfile_path) and interpolates them directly into shell command templates in.claude/settings.json. - Ingestion points:
references/configuration.md(lines 14, 21, 55, 65, 78, 88) uses interpolation for${tool.params.file_path},${tool.params.command},${tool.params.task}, and${tool.params.pattern}. - Boundary markers: No boundary markers or escaping mechanisms are present in the provided templates to prevent malicious input from breaking out of the CLI arguments.
- Capability inventory: The system can execute arbitrary shell commands and load external scripts via the
claude-flowhook runner. - Sanitization: There is no evidence of input validation or sanitization before interpolation into the hook commands, making the system vulnerable to command injection if tool parameters contain shell metacharacters.
- [DATA_EXFILTRATION]: While intended for persistence and coordination, the
memory_usageandmemory_persistmechanisms facilitate the movement of project metadata and operation summaries to external MCP servers and local storage, which could be exploited to collect sensitive session data.
Audit Metadata