hooks-automation

Warn

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill establishes a system-wide hook architecture that triggers shell commands (npx claude-flow) for nearly every core agent activity, including file editing, bash command execution, and task initialization. This creates a significant execution surface where the agent's actions automatically trigger secondary shell processes.
  • [REMOTE_CODE_EXECUTION]: The configuration supports the execution of custom JavaScript files (e.g., .claude/hooks/custom-quality-check.js) using a script hook type. This allows the skill to load and execute arbitrary code stored in the local project directory during standard agent operations.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from tool parameters (such as task, command, and file_path) and interpolates them directly into shell command templates in .claude/settings.json.
  • Ingestion points: references/configuration.md (lines 14, 21, 55, 65, 78, 88) uses interpolation for ${tool.params.file_path}, ${tool.params.command}, ${tool.params.task}, and ${tool.params.pattern}.
  • Boundary markers: No boundary markers or escaping mechanisms are present in the provided templates to prevent malicious input from breaking out of the CLI arguments.
  • Capability inventory: The system can execute arbitrary shell commands and load external scripts via the claude-flow hook runner.
  • Sanitization: There is no evidence of input validation or sanitization before interpolation into the hook commands, making the system vulnerable to command injection if tool parameters contain shell metacharacters.
  • [DATA_EXFILTRATION]: While intended for persistence and coordination, the memory_usage and memory_persist mechanisms facilitate the movement of project metadata and operation summaries to external MCP servers and local storage, which could be exploited to collect sensitive session data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 14, 2026, 06:40 AM
Security Audit — agent-trust-hub — hooks-automation