ClawHub

Nm Abstract Hook Authoring

v1.8.3

Guide for creating Claude Code hooks with security-first design. Use for validation, logging, and policy enforcement

0· 115·1 current·1 all-time
by@athola
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description claim an authoring guide for Claude hooks and the included SKILL.md and module files are exactly that: examples, patterns, and best practices. No binaries, env vars, installs, or external credentials are required by the skill itself, which is proportionate to a documentation skill.
Instruction Scope
The instructions include many runnable examples (shell commands, JSON hook configs, and Python SDK code) that show writing logs, running hook commands, and POSTing hook payloads to URLs. Those examples are within scope for a hook authoring guide, but several examples demonstrate writing full tool inputs to logs (which could capture secrets) and describe HTTP hooks that send hook payloads off-host — both are legitimate patterns but risky if copied blindly into global/project hooks. The guide does call out sanitization patterns in some examples, but some snippets (e.g., direct echo of $CLAUDE_TOOL_INPUT) can expose sensitive data if used without redaction.
Install Mechanism
No install specification and no code files are executed by the registry; this is instruction-only, so nothing is downloaded or written at install time.
Credentials
The skill declares no required environment variables or credentials. The docs reference platform variables (CLAUDE_TOOL_NAME, CLAUDE_TOOL_INPUT, CLAUDE_PLUGIN_ROOT, CLAUDE_CODE_DISABLE_CRON) and suggest using an optional PRODUCTION_APPROVED env var in examples — these are usage examples, not requirements. Still, users should be aware examples may reference or check env vars and that hooks can access environment and filesystem when actually installed as hooks.
Persistence & Privilege
always is false and there is no install behavior that persists or modifies other skills or system-wide settings. The documentation explains scopes (plugin, project, global) and warns about persistence; nothing in the skill itself requests elevated or permanent privileges.
Assessment
This is a documentation-only skill (no code is installed). It appears coherent and useful for writing hooks, but be careful when copying examples into your settings.json or plugin hooks: - Avoid logging raw tool inputs (CLAUDE_TOOL_INPUT) or other unredacted data; use sanitization patterns before writing logs. - HTTP-type hooks can send full hook payloads off-host; only point them at endpoints you control and review payloads for secrets. - Prefer project-scoped or plugin-scoped hooks for team controls instead of global hooks that apply to all sessions. - Test hooks in a sandboxed/untrusted workspace before enabling them globally. - Review any hook scripts referenced (e.g., ~/.claude/hooks/*.sh or ${CLAUDE_PLUGIN_ROOT}/scripts/*) before enabling to ensure they don’t perform unintended file access or network calls. Installing this skill itself is low-risk, but the hook configurations you create following its examples can introduce privacy or exfiltration risks if misused.

Like a lobster shell, security has layers — review code before you run it.

latestvk9740zyj3whq3keph6bxt55cdd84k42y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis

Comments