100Critical
The skill allows persistent policy injection via local files, enabling
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Writing Hookify Rules: Hookify rules are markdown files with YAML frontmatter that define patterns to watch for and messages to show when those patterns match. Rules are stored in `.claude/hookify.{rule-name}.local.md` files.
Actually does
This skill provides comprehensive instructions and examples for users to create and manage 'Hookify' rules. These rules are markdown files stored locally (`.claude/hookify.{rule-name}.local.md`) that define regex patterns and conditions to watch for in bash commands, file operations, agent stop events, or user prompts. When a pattern matches, the rule can trigger a warning message or block an operation. The skill itself does not execute commands, access data, or contact external URLs; it only describes how to configure a separate system.
Skill Info
Nameanthropics/claude-code/writing-rules
Registrygithub
Version5c18c787f262
PURLpkg:github/anthropics/claude-code@5c18c787f262?skill=writing-rules
Stars114,388
Installs455,628
Source
SHA-256cf7a6a0b9209...
SHA-1258babaec7f8...
MD504b36543f7f8...
TLSH1602c972edca...
ssdeep96:lqzzlWkb0...
Size8,423 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
Assessments (2)
AI Agent Traps ↗Arbitrary Policy Injection, Persistence, and Controlcriticalpersistence, tool poisoning, goal hijacking, reconnaissance, autonomy abuse
The skill enables the definition and dynamic loading of arbitrary 'Hookify Rules' from local files (`.claude/hookify.{rule-name}.local.md`). An attacker with write access to these files can inject persistent policies to gain broad control over the agent's behavior, including blocking or warning about specific actions (`action: block|warn`), monitoring various events (bash commands, file operations, user prompts), and potentially hijacking the agent's goals or performing reconnaissance.
100% confidenceline 10
Rules are stored in `.claude/hookify.{rule-name}.local.md` files. (Line 10)
rules are read dynamically on next tool use (Line 180)
`action`: `warn`|`block` (Lines 50-53)
`event`: `bash`|`file`|`stop`|`prompt` (Lines 40-45)
Condition fields: `command`, `file_path`, `new_text`, `old_text`, `content`, `user_prompt` (Lines 100-103, 230-232)Potential for Resource Abuse (ReDoS)lowresource abuse
The `pattern` field uses Python regex syntax. Maliciously crafted complex regular expressions could lead to Regular Expression Denial of Service (ReDoS) when evaluated against input, potentially consuming excessive CPU resources and impacting agent performance or availability.
80% confidenceline 57
`pattern` (simple format): Regex pattern to match ... Python regex syntax (Lines 57-59) operator: `regex_match` (Line 96)
Supply Chain Risk from Example Ruleslowsupply chain
The skill refers to example rules located at `${CLAUDE_PLUGIN_ROOT}/examples/`. If these examples are not carefully vetted or if the `CLAUDE_PLUGIN_ROOT` can be manipulated, an attacker could introduce malicious example rules that an agent or user might adopt, leading to compromised behavior.
70% confidenceline 209
See `${CLAUDE_PLUGIN_ROOT}/examples/` for complete examples (Line 209)Semantic Manipulation via Rule Messagesmediumoversight evasion, human social engineering
The `Message Body` of a rule is displayed to Claude when triggered. This allows for crafting messages that can influence the agent's reasoning, provide biased information, or, if relayed to a human, social engineer the human overseer, potentially leading to approval fatigue or misinformed decisions.
90% confidenceline 106
The markdown content after frontmatter is shown to Claude when the rule triggers. (Line 118) Explain what was detected, Explain why it's problematic, Suggest alternatives or best practices (Lines 121-123)
Version History (2)
Dependencies (13)
agent-sdk-dev.claude-plugin/marketplace.jsonnot scanned
claude-opus-4-5-migration.claude-plugin/marketplace.jsonnot scanned
code-review.claude-plugin/marketplace.jsonnot scanned
commit-commands.claude-plugin/marketplace.jsonnot scanned
explanatory-output-style.claude-plugin/marketplace.jsonnot scanned
feature-dev.claude-plugin/marketplace.jsonnot scanned
frontend-design.claude-plugin/marketplace.jsonnot scanned
hookify.claude-plugin/marketplace.jsonnot scanned
learning-output-style.claude-plugin/marketplace.jsonnot scanned
plugin-dev.claude-plugin/marketplace.jsonnot scanned
pr-review-toolkit.claude-plugin/marketplace.jsonnot scanned
ralph-wiggum.claude-plugin/marketplace.jsonnot scanned
security-guidance.claude-plugin/marketplace.jsonnot scanned
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/anthropics/claude-code/writing-rules)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/anthropics/claude-code/writing-rules"><img src="https://mondoo.com/ai-agent-security/api/badge/github/anthropics/claude-code/writing-rules.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/anthropics/claude-code/writing-rules.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow