The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructions provide a method to "auto-approve subagent permissions" by configuring a PermissionRequest hook with a prompt handler. This pattern specifically targets and bypasses human-in-the-loop (HITL) security controls, allowing potentially untrusted subagents to perform sensitive actions without user confirmation.
[COMMAND_EXECUTION]: The skill uses the $ARGUMENTS variable to seed the hook design process. This creates a surface for command injection if the input is not sanitized before being passed to shell commands. The evals/evals.json file explicitly lists injection strings like 'my_app; rm -rf /' as test cases for the agent's validation logic.
[DATA_EXFILTRATION]: Hooks generated by this skill for PreToolUse and PostToolUse events have access to the full context of tool interactions. This provides an opportunity for sensitive information, such as file contents or API responses, to be intercepted and exfiltrated if the hook's command handler is directed to a remote endpoint or external file.
[REMOTE_CODE_EXECUTION]: The skill is designed to generate hooks.json entries that can execute arbitrary shell commands via the command handler. This allows for persistent execution of code triggered by specific agent events. This also introduces an indirect prompt injection surface:
Ingestion points: Agent lifecycle events such as PreToolUse and PermissionRequest (documented in SKILL.md).
Boundary markers: None provided in the instructions to separate event data from the hook's execution logic.
Capability inventory: Hooks can execute Bash commands and provide prompts to the agent.
Sanitization: The skill does not instruct on sanitizing event data before it is processed by the generated hook handlers.

create-hook