security: plugin scripts allow YAML injection and symlink-based credential overwrite

Open 💬 0 comments Opened Jul 11, 2026 by 1837620622

Summary

Several official plugins/scripts under this repo have defensive gaps that can turn local untrusted input or planted symlinks into integrity issues:

  1. ralph-wiggum setup-ralph-loop.sh: completion_promise is written into YAML frontmatter with only outer quotes — embedded " / newlines can inject extra keys (e.g. flip active).
  2. ralph-wiggum stop-hook.sh: transcript_path from hook JSON is read without rejecting .. or symlinks.
  3. plugin-dev load-context.sh example + docs: appends to $CLAUDE_ENV_FILE without checking for symlink redirect (classic credential-file overwrite pattern).
  4. plugin-settings parse-frontmatter.sh: field name is interpolated into grep/sed patterns without identifier validation.
  5. security-guidance session_state.py: state write follows symlinks (open(path,"w")) without O_NOFOLLOW.

Expected

Plugin examples and scripts used as reference implementations should refuse symlink redirect and sanitize YAML / field names.

Environment

  • Repo: anthropics/claude-code (plugins/ + scripts/)

View original on GitHub ↗