security: plugin scripts allow YAML injection and symlink-based credential overwrite
Open 💬 0 comments Opened Jul 11, 2026 by 1837620622
Summary
Several official plugins/scripts under this repo have defensive gaps that can turn local untrusted input or planted symlinks into integrity issues:
- ralph-wiggum
setup-ralph-loop.sh:completion_promiseis written into YAML frontmatter with only outer quotes — embedded"/ newlines can inject extra keys (e.g. flipactive). - ralph-wiggum
stop-hook.sh:transcript_pathfrom hook JSON is read without rejecting..or symlinks. - plugin-dev
load-context.shexample + docs: appends to$CLAUDE_ENV_FILEwithout checking for symlink redirect (classic credential-file overwrite pattern). - plugin-settings
parse-frontmatter.sh: field name is interpolated intogrep/sedpatterns without identifier validation. - security-guidance
session_state.py: state write follows symlinks (open(path,"w")) withoutO_NOFOLLOW.
Expected
Plugin examples and scripts used as reference implementations should refuse symlink redirect and sanitize YAML / field names.
Environment
- Repo: anthropics/claude-code (plugins/ + scripts/)