hooks-automation
Warn
Audited by Socket on Jun 14, 2026
1 alert found:
AnomalyAnomalyreferences/git-and-agents.md
LOWAnomalyLOW
references/git-and-agents.md
No direct malicious code is visible in this fragment (no explicit exfiltration, eval, or credential theft). The main security concern is supply-chain and trust boundary: these Git hook scripts execute an external CLI via `npx claude-flow` and run npm scripts automatically in pre-commit/pre-push contexts. If `claude-flow` (or the invoked npm scripts) were compromised, it could perform harmful actions during developer workflows. Additionally, commit messages are included in notification payloads, which could leak secrets if commit messages contain them.
Confidence: 100%Severity: 60%
Audit Metadata