hooks-automation

Warn

Audited by Socket on Jun 14, 2026

1 alert found:

Anomaly
AnomalyLOW
references/git-and-agents.md

No direct malicious code is visible in this fragment (no explicit exfiltration, eval, or credential theft). The main security concern is supply-chain and trust boundary: these Git hook scripts execute an external CLI via `npx claude-flow` and run npm scripts automatically in pre-commit/pre-push contexts. If `claude-flow` (or the invoked npm scripts) were compromised, it could perform harmful actions during developer workflows. Additionally, commit messages are included in notification payloads, which could leak secrets if commit messages contain them.

Confidence: 100%Severity: 60%
Audit Metadata
Analyzed At
Jun 14, 2026, 06:41 AM
Package URL
pkg:socket/skills-sh/frankxai%2Fclaude-skills-library%2Fhooks-automation%2F@6413a3eb849ddf75385a9c11217a6b62ad7eea962bdb79a19947b313d6e4a220
Security Audit — socket — hooks-automation