Trust Report v1

Hook Development

This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreT

Overall

Trust

Utility

Momentum

Install caution

High-risk behavior present

Risk: High

Source: Claude Code Plugin Skills

Path: plugins/plugin-dev/skills/hook-development/SKILL.md

Review flags: browser/session access, filesystem/home-directory access, network access or external URLs, shell command snippets. These are review signals, not definitive security judgments; inspect before installing.

Required permissions

• Environment variables / secrets
• Shell commands
• Network/API usage
• Filesystem/home access
• Browser/session access

Permissions are inferred from SKILL.md text only. They are review prompts, not guarantees about runtime behavior.

Risk flags explained

browser_or_session_accessmedium

Mentions browser automation, cookies, sessions, local storage, or browser state.

filesystem_write_or_home_accessmedium

Mentions filesystem writes, deletes, home-directory paths, or config/key locations.

network_accessmedium

Mentions external URLs, network APIs, downloads, or HTTP client usage.

shell_commandmedium

Contains shell command snippets. Review commands before copy/paste or agent execution.

Score explanation

Trust

• Trust starts at 90 before review-signal penalties and metadata bonuses.
• Risk-signal penalty: -43 from 4 detected flag(s).
• Metadata bonus: +5 from author/version/description fields.

Utility

• Utility starts at 55 and rewards clear descriptions, runnable examples, and explicit setup needs.
• Description present: yes.
• Command examples detected: 0.
• Environment variables detected: 1.

Momentum

• Momentum starts at 45 and uses public repo activity signals.
• Recent commit activity: latest repo update was 0 day(s) ago.
• Recent commit volume: 39 commit(s) in the lookback window (+20).
• Source has strong public adoption: 133579 stars.
• Fork activity suggests reuse: 21599 forks.

Overall

• Overall score weights trust 45%, utility 35%, and momentum 20%.

Detected signals

Env vars

• API

Commands

None detected in SKILL.md text scan.

URLs

• https://docs.claude.com/en/docs/claude-code/hooks

Provenance & evidence

SkillRadar makes each review traceable back to the exact source path, source blob SHA, scanner version, and text-only policy that produced the report.

source

github.com/anthropics/claude-code@main

path

plugins/plugin-dev/skills/hook-development/SKILL.md

source blob SHA

d1c0c199c70e8cef8fee8d3b792b0a27ff33046c

scanner version

0.3.0

security model

text_only_no_execute_no_install_no_secrets

scan policy

Fetched and scored as text only; no install, no execution, no runtime loading.

Evidence snippets

filesystem_write_or_home_access

…ion hooks for code quality", "hooks": { "PreToolUse": [ { "matcher": "Write", "hooks": [ { "type": "command", "command": "$…

network_access

…cripts for common issues and best practices ### External Resources - **Official Docs**: https://docs.claude.com/en/docs/claude-code/hooks - **Examples**: See security-guidance plugin in…

browser_or_session_access

…warnings." } ] } ] } ``` ### SessionStart Execute when Claude Code session begins. Use to load context and set environment. **Example:** ```json { "SessionStart"…

shell_command

…] } ``` **Special capability:** Persist environment variables using `$CLAUDE_ENV_FILE`: ```bash echo "export PROJECT_TYPE=nodejs" >> "$CLAUDE_ENV_FILE" ``` See `examples/load-context.s…

Watch this skill

Get alerted when this skill adds credential requirements, shell commands, external domains, remote installer patterns, or risk-level changes.

Join watchlist beta

Methodology note

SkillRadar scans SKILL.md as hostile text only. It does not execute commands, install packages, or load third-party skills.

View source SKILL.md Back to changes View sources