hooks-core-reference

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's hooks framework explicitly includes matchers for WebFetch/WebSearch and MCP tools like mcp__github__search_repositories (see "Event-Specific Matchers" and "Working with MCP Tools") and documents that hook output is added to Claude's context (see "Output Handling by Event"), which means untrusted public web/GitHub content can be ingested and influence the agent's subsequent behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt documents and encourages creating hooks that execute arbitrary shell commands (including setup hooks for installing dependencies and persisting environment changes), which run automatically with the agent's environment and can modify, delete, or persist files—giving the agent effective ability to alter the host system state.