Plugin Settings Pattern for Claude Code Plugins

The skill demonstrates using `tmux send-keys` with values (`coordinator_session`, `agent_name`) directly read from a user-controlled `.local.md` file. This allows for arbitrary command injection into the `tmux` session if an attacker can modify the settings file.

tmux send-keys -t "$COORDINATOR" "Agent $AGENT_NAME completed task" Enter

The skill provides an example of sanitizing user input by escaping double quotes when writing to a settings file. However, this is insufficient to prevent shell metacharacters (e.g., semicolons, backticks, dollar signs) from being injected, which could lead to command injection when the values are later read and used in shell scripts.

SAFE_VALUE=$(echo "$USER_INPUT" | sed 's/"/\\"/g')

The `.claude/*.local.md` files are designed to store persistent configuration. If an attacker can inject malicious settings into these files, it can lead to persistent execution of malicious commands or other undesirable behaviors whenever the associated hooks or commands are triggered.

Lifecycle: User-managed (not in git, should be in `.gitignore`)

The skill explicitly states that commands can use the `Bash` tool, granting the agent the ability to execute arbitrary shell commands. While this is a core feature, it significantly increases the attack surface when combined with the ability to read user-controlled configuration files.

allowed-tools: ["Read", "Bash"]