[FEATURE] Skill Discovery Notifications & sessionStart Security Controls
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Claude Code allows skills to be added to a repository via ./.claude/ and shared with collaborators. Combined with settings.json preapprovals and sessionStart capabilities, this creates a significant security vulnerability:
If a user clones a repository containing malicious skills with sessionStart hooks, those skills can execute bash scripts _without explicit user consent_.
This could enable:
- Unauthorized code execution on developer machines
- Credential harvesting
- Malicious commits pushed to other repositories the developer has access to
- A cascading supply chain attack as compromised repos infect other developers
The attack surface is particularly concerning because developers routinely clone unfamiliar repositories for evaluation, contribution, or reference.
User Experience Gap
Beyond security, there's a missed collaboration opportunity.
In practice:
- Developers add skills to solve their own problems
- They rarely announce or document these additions to teammates
- Other developers on the project never discover potentially useful skills
- Institutional knowledge about repo-specific Claude capabilities remains siloed
Skills are a force multiplier, but only if the team knows they exist.
| Stakeholder | Benefit |
|-------------|---------|
| Individual developers | Protection from malicious repos; awareness of available tools |
| Teams | Organic skill discovery; shared tooling without overhead of documentation |
| Organizations | Reduced supply chain attack surface; audit trail of skill approvals |
| Anthropic | Differentiated security posture; encourages skill ecosystem growth |
Proposed Solution
Implement a skill registry cache with change detection and user notification.
Core Mechanism
- Maintain a local cache of skills/agents/plugins for each repository (per-user, outside the repo itself)
- On session start, compare the current repo's skill manifest against the cached version
- If changes are detected, surface them to the user before execution
Security Flow
For skills with sessionStart or other code-execution capabilities:
- Do not auto-execute on first encounter
- Require explicit user approval, or at minimum, display a clear notice with the option to abort
- Log which skills were approved for future sessions
Discovery Flow
When new or modified skills are detected, present a friendly notification:
🚀 Your Claude Code just got new capabilities!
This repo added the following since your last session:
• legal-research-agent — Queries state law databases
• pr-summary-skill — Auto-generates PR descriptions
• test-coverage-check — Runs coverage on changed files
[Review] [Trust & Continue] [Exit]
This serves dual purposes:
- Security: Users can exit or investigate before trusting unfamiliar skills
- Knowledge sharing: Teams organically discover and adopt best practices
Alternative Solutions
No alternative solution currently exists.
Plugins and hooks loaded via sessionStart cannot emit content to the user—they execute silently, bypassing any opportunity for user awareness or intervention.
Priority
High - Significant impact on productivity
Feature Category
Configuration and settings
Use Case Example
Scenario: Sarah joins a new team and clones the company's internal compliance-api repository.
Today (without this feature):
Sarah runs claude in the repo. Unbeknownst to her, a previous developer added a sessionStart skill that runs npm install and executes a post-install script. The skill runs automatically. If the repo had been compromised (or if Sarah cloned a typosquatted package), malicious code now has access to her machine, SSH keys, and every repo she can push to.
Meanwhile, the repo also contains a genuinely useful generate-audit-log skill that would save her hours of work—but she never discovers it because no one told her it exists.
With this feature:
Sarah runs claude. Before any code executes, she sees:
🚀 New capabilities detected in this repo:
• env-setup (sessionStart) — Runs npm install and seeds local DB
• generate-audit-log — Creates compliance reports from git history
• pr-compliance-check — Validates PRs against SOC2 requirements
These skills can execute code. Review before continuing?
[Review Details] [Trust & Continue] [Exit]
Sarah can inspect env-setup before trusting it, avoids a potential attack vector, and immediately learns about tools that make her productive on day one.
Additional Context
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗