[FEATURE] Skill Discovery Notifications & sessionStart Security Controls

Open 💬 3 comments Opened Jan 23, 2026 by arlogilbert

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Claude Code allows skills to be added to a repository via ./.claude/ and shared with collaborators. Combined with settings.json preapprovals and sessionStart capabilities, this creates a significant security vulnerability:

If a user clones a repository containing malicious skills with sessionStart hooks, those skills can execute bash scripts _without explicit user consent_.

This could enable:

  • Unauthorized code execution on developer machines
  • Credential harvesting
  • Malicious commits pushed to other repositories the developer has access to
  • A cascading supply chain attack as compromised repos infect other developers

The attack surface is particularly concerning because developers routinely clone unfamiliar repositories for evaluation, contribution, or reference.

User Experience Gap
Beyond security, there's a missed collaboration opportunity.

In practice:

  • Developers add skills to solve their own problems
  • They rarely announce or document these additions to teammates
  • Other developers on the project never discover potentially useful skills
  • Institutional knowledge about repo-specific Claude capabilities remains siloed

Skills are a force multiplier, but only if the team knows they exist.

| Stakeholder | Benefit |
|-------------|---------|
| Individual developers | Protection from malicious repos; awareness of available tools |
| Teams | Organic skill discovery; shared tooling without overhead of documentation |
| Organizations | Reduced supply chain attack surface; audit trail of skill approvals |
| Anthropic | Differentiated security posture; encourages skill ecosystem growth |

Proposed Solution

Implement a skill registry cache with change detection and user notification.

Core Mechanism

  • Maintain a local cache of skills/agents/plugins for each repository (per-user, outside the repo itself)
  • On session start, compare the current repo's skill manifest against the cached version
  • If changes are detected, surface them to the user before execution

Security Flow

For skills with sessionStart or other code-execution capabilities:

  • Do not auto-execute on first encounter
  • Require explicit user approval, or at minimum, display a clear notice with the option to abort
  • Log which skills were approved for future sessions

Discovery Flow

When new or modified skills are detected, present a friendly notification:

🚀 Your Claude Code just got new capabilities!

This repo added the following since your last session:
  • legal-research-agent — Queries state law databases
  • pr-summary-skill — Auto-generates PR descriptions
  • test-coverage-check — Runs coverage on changed files

[Review] [Trust & Continue] [Exit]

This serves dual purposes:

  • Security: Users can exit or investigate before trusting unfamiliar skills
  • Knowledge sharing: Teams organically discover and adopt best practices

Alternative Solutions

No alternative solution currently exists.

Plugins and hooks loaded via sessionStart cannot emit content to the user—they execute silently, bypassing any opportunity for user awareness or intervention.

Priority

High - Significant impact on productivity

Feature Category

Configuration and settings

Use Case Example

Scenario: Sarah joins a new team and clones the company's internal compliance-api repository.

Today (without this feature):
Sarah runs claude in the repo. Unbeknownst to her, a previous developer added a sessionStart skill that runs npm install and executes a post-install script. The skill runs automatically. If the repo had been compromised (or if Sarah cloned a typosquatted package), malicious code now has access to her machine, SSH keys, and every repo she can push to.

Meanwhile, the repo also contains a genuinely useful generate-audit-log skill that would save her hours of work—but she never discovers it because no one told her it exists.

With this feature:
Sarah runs claude. Before any code executes, she sees:

🚀 New capabilities detected in this repo:

  • env-setup (sessionStart) — Runs npm install and seeds local DB
  • generate-audit-log — Creates compliance reports from git history
  • pr-compliance-check — Validates PRs against SOC2 requirements

These skills can execute code. Review before continuing?
[Review Details] [Trust & Continue] [Exit]

Sarah can inspect env-setup before trusting it, avoids a potential attack vector, and immediately learns about tools that make her productive on day one.

Additional Context

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗