From c651ade4d76a5f1731c4c6f56e02b73c7b3f35b2 Mon Sep 17 00:00:00 2001 From: Steve Nims Date: Sat, 13 Dec 2025 09:54:06 -0500 Subject: [PATCH] docs: minor script and documentation improvements from security review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Address four low-priority improvements identified during security review: 1. Add chmod reminder to hook-development SKILL.md - users copying example scripts encounter permission errors; added note to make scripts executable 2. Parameterize plugin name in read-settings-hook.sh - replaced hardcoded "my-plugin" with ${PLUGIN_NAME:-my-plugin} pattern to teach portable hooks 3. Add timeout to jq validation in test-hook.sh - maintains defensive consistency with other timeout patterns in the script 4. Document race condition behavior in parse-frontmatter.sh - clarifies that settings files are assumed stable (changes require Claude Code restart) Fixes #163 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- plugins/plugin-dev/skills/hook-development/SKILL.md | 2 ++ .../skills/hook-development/scripts/test-hook.sh | 4 ++-- .../skills/plugin-settings/examples/read-settings-hook.sh | 8 +++++--- .../skills/plugin-settings/scripts/parse-frontmatter.sh | 4 ++++ 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/plugins/plugin-dev/skills/hook-development/SKILL.md b/plugins/plugin-dev/skills/hook-development/SKILL.md index 42bada5..0eaf86b 100644 --- a/plugins/plugin-dev/skills/hook-development/SKILL.md +++ b/plugins/plugin-dev/skills/hook-development/SKILL.md @@ -689,6 +689,8 @@ For detailed patterns and advanced techniques, consult: Working examples in `examples/`: +> **Note:** After copying example scripts, make them executable: `chmod +x script.sh` + - **`validate-write.sh`** - File write validation example - **`validate-bash.sh`** - Bash command validation example - **`load-context.sh`** - SessionStart context loading example diff --git a/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh b/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh index 8c9b82d..d0477e9 100755 --- a/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh +++ b/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh @@ -169,8 +169,8 @@ if [[ "$TEST_INPUT" =~ [\;\|\&\`\$\(\)\{\}\<\>] ]]; then exit 1 fi -# Validate test input JSON -if ! jq empty "$TEST_INPUT" 2>/dev/null; then +# Validate test input JSON (with timeout for defensive consistency) +if ! timeout 5 jq empty "$TEST_INPUT" 2>/dev/null; then echo "❌ Error: Test input is not valid JSON" exit 1 fi diff --git a/plugins/plugin-dev/skills/plugin-settings/examples/read-settings-hook.sh b/plugins/plugin-dev/skills/plugin-settings/examples/read-settings-hook.sh index e1b8220..9bd6434 100755 --- a/plugins/plugin-dev/skills/plugin-settings/examples/read-settings-hook.sh +++ b/plugins/plugin-dev/skills/plugin-settings/examples/read-settings-hook.sh @@ -1,11 +1,13 @@ #!/bin/bash -# Example hook that reads plugin settings from .claude/my-plugin.local.md +# Example hook that reads plugin settings from .claude/.local.md # Demonstrates the complete pattern for settings-driven hook behavior set -euo pipefail -# Define settings file path -SETTINGS_FILE=".claude/my-plugin.local.md" +# Define settings file path using environment variable with default +# This allows the plugin name to be configured externally if needed +PLUGIN_NAME="${PLUGIN_NAME:-my-plugin}" +SETTINGS_FILE=".claude/${PLUGIN_NAME}.local.md" # Quick exit if settings file doesn't exist if [[ ! -f "$SETTINGS_FILE" ]]; then diff --git a/plugins/plugin-dev/skills/plugin-settings/scripts/parse-frontmatter.sh b/plugins/plugin-dev/skills/plugin-settings/scripts/parse-frontmatter.sh index f247571..5b7fd62 100755 --- a/plugins/plugin-dev/skills/plugin-settings/scripts/parse-frontmatter.sh +++ b/plugins/plugin-dev/skills/plugin-settings/scripts/parse-frontmatter.sh @@ -1,6 +1,10 @@ #!/bin/bash # Frontmatter Parser Utility # Extracts YAML frontmatter from .local.md files +# +# Note: This script assumes the settings file is stable (not being written to). +# Settings changes require a Claude Code restart to take effect, so there's no +# need for file locking in normal usage. set -euo pipefail