cc-safe-setup 29.6.32 → 29.6.36

package/examples/self-modify-bypass-guard.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# self-modify-bypass-guard.sh — Auto-allow .claude/ writes in bypass mode
+#
+# Solves: Self-modification guard prompts for .claude/ writes even when
+#         bypassPermissions is active (#40463). The guard fires before
+#         hooks/permissions are evaluated.
+#
+# How it works: PermissionRequest hook that detects .claude/ write prompts
+#   and auto-allows them when the project uses bypassPermissions mode.
+#   Exempts security-sensitive paths (settings.json, CLAUDE.md).
+#
+# TRIGGER: PermissionRequest
+# MATCHER: ""
+
+set -euo pipefail
+
+INPUT=$(cat)
+
+# Extract the permission request details
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Only handle Edit/Write to .claude/ paths
+case "$TOOL" in
+  Edit|Write) ;;
+  *) exit 0 ;;
+esac
+
+case "$FILE" in
+  .claude/*|*/.claude/*) ;;
+  *) exit 0 ;;
+esac
+
+# Security-sensitive files: always prompt (don't auto-allow)
+BASENAME=$(basename "$FILE")
+case "$BASENAME" in
+  settings.json|settings.local.json|CLAUDE.md)
+    # Let the default prompt handle these
+    exit 0 ;;
+esac
+
+# Check if bypassPermissions is configured
+SETTINGS=".claude/settings.json"
+if [ -f "$SETTINGS" ]; then
+    MODE=$(jq -r '.defaultMode // empty' "$SETTINGS" 2>/dev/null)
+    if [ "$MODE" = "bypassPermissions" ]; then
+        # Auto-allow: output hookSpecificOutput to approve
+        echo '{"hookSpecificOutput":{"hookEventName":"PermissionRequest","allow":true}}'
+        exit 0
+    fi
+fi
+
+# Not in bypass mode — let default prompt handle it
+exit 0

package/examples/sensitive-log-guard.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [[ -z "$FILE" ]] && exit 0

package/examples/session-checkpoint.sh

@@ -19,6 +19,8 @@
 #
 # Recovery: Add to CLAUDE.md:
 #   "If ~/.claude/checkpoints/ has a file for this project, read it first."
+#
+# TRIGGER: Stop  MATCHER: ""
 
 INPUT=$(cat)
 REASON=$(echo "$INPUT" | jq -r '.stop_reason // empty' 2>/dev/null)

package/examples/session-duration-guard.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# ================================================================
+# session-duration-guard.sh — Warn on long-running sessions
+# ================================================================
+# PURPOSE:
+#   Model quality degrades in very long sessions due to context
+#   accumulation, compaction artifacts, and attention dilution.
+#   This hook warns at configurable thresholds and suggests
+#   saving state + starting fresh.
+#
+#   Based on 700+ hours of autonomous operation experience.
+#
+# TRIGGER: PostToolUse
+# MATCHER: ""  (all tools)
+#
+# CONFIG:
+#   CC_SESSION_WARN_HOURS=2  (warn after 2 hours, default)
+#   CC_SESSION_CRITICAL_HOURS=4  (critical after 4 hours, default)
+# ================================================================
+
+MARKER="/tmp/cc-session-start-$$"
+WARN_HOURS="${CC_SESSION_WARN_HOURS:-2}"
+CRITICAL_HOURS="${CC_SESSION_CRITICAL_HOURS:-4}"
+
+# Create marker on first run
+if [ ! -f "$MARKER" ]; then
+    date +%s > "$MARKER"
+    exit 0
+fi
+
+# Check every 50 tool calls (not every call)
+COUNTER="/tmp/cc-duration-counter-$$"
+COUNT=$(cat "$COUNTER" 2>/dev/null || echo 0)
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER"
+[ $((COUNT % 50)) -ne 0 ] && exit 0
+
+START=$(cat "$MARKER" 2>/dev/null || echo 0)
+NOW=$(date +%s)
+ELAPSED=$(( (NOW - START) / 3600 ))
+ELAPSED_MIN=$(( (NOW - START) / 60 ))
+
+if [ "$ELAPSED" -ge "$CRITICAL_HOURS" ]; then
+    echo "⚠ CRITICAL: Session running for ${ELAPSED_MIN} minutes (${ELAPSED}+ hours)." >&2
+    echo "  Model quality typically degrades after ${CRITICAL_HOURS} hours." >&2
+    echo "  Save your state and start a new session: /compact then resume later." >&2
+elif [ "$ELAPSED" -ge "$WARN_HOURS" ]; then
+    echo "NOTE: Session running for ${ELAPSED_MIN} minutes. Consider saving state." >&2
+fi
+
+exit 0

package/examples/session-end-logger.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# session-end-logger.sh — Log session activity at exit
+#
+# Solves: No built-in session audit trail. When a session ends,
+#         there's no record of what was done unless you manually check
+#         git log or conversation history (#40010).
+#
+# How it works: SessionEnd hook that captures recent git commits,
+#   modified files, and session metadata into a structured log file.
+#
+# TRIGGER: SessionEnd
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "SessionEnd": [{
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-end-logger.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // "unknown"' 2>/dev/null)
+
+LOG_DIR=".claude/session-logs"
+mkdir -p "$LOG_DIR"
+LOG_FILE="$LOG_DIR/$(date '+%Y-%m-%d').md"
+
+{
+    echo ""
+    echo "## Session $SESSION_ID — $(date '+%H:%M')"
+    echo ""
+
+    # Recent git activity
+    if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+        COMMITS=$(git log --oneline --since="1 hour ago" 2>/dev/null)
+        if [ -n "$COMMITS" ]; then
+            echo "### Commits"
+            echo '```'
+            echo "$COMMITS"
+            echo '```'
+        fi
+
+        CHANGED=$(git diff --name-only HEAD~5..HEAD 2>/dev/null | head -20)
+        if [ -n "$CHANGED" ]; then
+            echo "### Changed files"
+            echo '```'
+            echo "$CHANGED"
+            echo '```'
+        fi
+    fi
+
+    echo ""
+} >> "$LOG_FILE"
+
+exit 0

package/examples/session-error-rate-monitor.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# ================================================================
+# session-error-rate-monitor.sh — Detect session quality degradation
+# ================================================================
+# PURPOSE:
+#   Long sessions (6+ hours) show quality decay: more errors,
+#   ignored instructions, and destructive actions. This hook
+#   tracks the error rate over a rolling window and warns when
+#   it exceeds a threshold, suggesting a session restart.
+#
+# How it works:
+#   - Counts tool calls and errors (exit code != 0) in a state file
+#   - Calculates error rate over last N tool calls
+#   - Warns (stderr) when error rate exceeds threshold
+#   - Does NOT block — purely advisory (exit 0 always)
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Bash"
+#
+# CONFIG:
+#   CC_ERROR_RATE_WINDOW=20  (rolling window size)
+#   CC_ERROR_RATE_THRESHOLD=40  (% error rate to trigger warning)
+#
+# See: https://github.com/anthropics/claude-code/issues/32963
+# ================================================================
+
+INPUT=$(cat)
+EXIT_CODE=$(echo "$INPUT" | jq -r '.tool_result.exit_code // "0"' 2>/dev/null)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Only track Bash tool calls
+[[ "$TOOL" != "Bash" ]] && exit 0
+
+WINDOW=${CC_ERROR_RATE_WINDOW:-20}
+THRESHOLD=${CC_ERROR_RATE_THRESHOLD:-40}
+STATE_DIR="${HOME}/.claude/state"
+mkdir -p "$STATE_DIR"
+STATE_FILE="$STATE_DIR/error-rate-history.log"
+
+# Record result: 0=success, 1=error
+if [ "$EXIT_CODE" = "0" ]; then
+    echo "0" >> "$STATE_FILE"
+else
+    echo "1" >> "$STATE_FILE"
+fi
+
+# Keep only last N entries
+TOTAL=$(wc -l < "$STATE_FILE" 2>/dev/null || echo "0")
+if [ "$TOTAL" -gt "$WINDOW" ]; then
+    tail -n "$WINDOW" "$STATE_FILE" > "$STATE_FILE.tmp"
+    mv "$STATE_FILE.tmp" "$STATE_FILE"
+fi
+
+# Calculate error rate
+if [ "$TOTAL" -ge "$WINDOW" ]; then
+    ERRORS=$(tail -n "$WINDOW" "$STATE_FILE" | grep -c "^1$" || echo "0")
+    RATE=$(( ERRORS * 100 / WINDOW ))
+
+    if [ "$RATE" -ge "$THRESHOLD" ]; then
+        echo "⚠ Session quality alert: ${RATE}% error rate over last ${WINDOW} commands (threshold: ${THRESHOLD}%)" >&2
+        echo "  Consider: /compact or starting a fresh session" >&2
+    fi
+fi
+
+exit 0

package/examples/session-health-monitor.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# session-health-monitor.sh — Monitor session health metrics
+#
+# Solves: Long-running sessions degrade silently — context fills up,
+#         tool calls slow down, errors accumulate. No visibility into
+#         session health until it's too late.
+#
+# How it works: PreToolUse hook that tracks session metrics:
+#   - Tool call count (proxy for context usage)
+#   - Error rate (consecutive failures)
+#   - Session duration
+#   Warns at configurable thresholds.
+#
+# TRIGGER: PreToolUse
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-health-monitor.sh" }]
+#     }]
+#   }
+# }
+
+STATE="/tmp/cc-health-$$"
+
+# Initialize on first call
+if [ ! -f "$STATE" ]; then
+    echo "start=$(date +%s) calls=0 errors=0" > "$STATE"
+fi
+
+# Read current state
+eval $(cat "$STATE")
+calls=$((calls + 1))
+
+# Update state
+echo "start=$start calls=$calls errors=$errors" > "$STATE"
+
+# Check thresholds
+DURATION=$(( ($(date +%s) - start) / 60 ))
+
+if [ "$calls" -eq 50 ]; then
+    echo "ℹ Session health: 50 tool calls, ${DURATION}m elapsed." >&2
+fi
+
+if [ "$calls" -eq 150 ]; then
+    echo "⚠ Session health: 150 tool calls, ${DURATION}m elapsed. Context may be getting full." >&2
+    echo "Consider saving state and starting a fresh session." >&2
+fi
+
+if [ "$calls" -ge 250 ] && [ $((calls % 50)) -eq 0 ]; then
+    echo "🔴 Session health: $calls tool calls, ${DURATION}m elapsed. Performance may be degraded." >&2
+fi
+
+# Duration warning
+if [ "$DURATION" -ge 120 ] && [ $((calls % 100)) -eq 0 ]; then
+    echo "⏰ Session running for ${DURATION}m. Long sessions accumulate context drift." >&2
+fi
+
+exit 0

package/examples/session-memory-watchdog.sh

@@ -0,0 +1,17 @@
+MAX_RSS_MB="${CC_MAX_RSS_MB:-4096}"
+CHECK_INTERVAL=300
+(
+    while true; do
+        sleep "$CHECK_INTERVAL"
+        pgrep -f "claude" | while read pid; do
+            RSS_KB=$(ps -o rss= -p "$pid" 2>/dev/null | tr -d ' ')
+            [ -z "$RSS_KB" ] && continue
+            RSS_MB=$((RSS_KB / 1024))
+            if [ "$RSS_MB" -gt "$MAX_RSS_MB" ]; then
+                echo "[$(date -Iseconds)] PID $pid: ${RSS_MB}MB > ${MAX_RSS_MB}MB limit" >> ~/.claude/memory-watchdog.log
+                kill -15 "$pid" 2>/dev/null
+            fi
+        done
+    done
+) &
+exit 0

package/examples/session-permission-reset-guard.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# session-permission-reset-guard.sh — Override session-cached permissions
+#
+# Solves: Sandbox mode caching session-level permissions (#40384).
+#         After approving a command once, sandbox caches the approval
+#         for the entire session, bypassing the allow list.
+#
+# How it works: PreToolUse hook that enforces per-invocation checks
+#   for specified commands, regardless of session cache state.
+#   Acts as a secondary permission layer outside the caching system.
+#
+# CONFIG:
+#   CC_ALWAYS_CHECK_COMMANDS="git commit:git push:npm publish:cargo install"
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Commands that should always require hook-level check
+ALWAYS_CHECK="${CC_ALWAYS_CHECK_COMMANDS:-git commit:git push:npm publish:cargo install:pip install}"
+
+IFS=':' read -ra PATTERNS <<< "$ALWAYS_CHECK"
+for pattern in "${PATTERNS[@]}"; do
+  # Match the pattern anywhere in the command (including chained commands)
+  if echo "$COMMAND" | grep -qiF "$pattern"; then
+    echo "HOOK CHECK: '$pattern' detected — hook-level review." >&2
+    echo "Command: $COMMAND" >&2
+    echo "" >&2
+    echo "This hook enforces per-invocation checks regardless of" >&2
+    echo "session permission caching. To allow, remove this pattern" >&2
+    echo "from CC_ALWAYS_CHECK_COMMANDS." >&2
+    exit 2
+  fi
+done
+
+exit 0

package/examples/session-resume-env-fix.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# session-resume-env-fix.sh — Fix CLAUDE_ENV_FILE path on session resume
+#
+# Solves: CLAUDE_ENV_FILE points to startup session directory, but Bash
+#         tool loads from resumed session directory (#40391, #24775).
+#         Environment variables written by SessionStart hooks are lost.
+#
+# How it works: SessionStart hook that detects resume (source="resume")
+#   and copies/symlinks env files from the startup session directory
+#   to the resumed session directory.
+#
+# TRIGGER: SessionStart
+# MATCHER: ""
+
+set -euo pipefail
+
+INPUT=$(cat)
+SOURCE=$(echo "$INPUT" | jq -r '.source // empty' 2>/dev/null)
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // empty' 2>/dev/null)
+
+# Only act on resume events
+[ "$SOURCE" = "resume" ] || exit 0
+[ -n "$SESSION_ID" ] || exit 0
+[ -n "${CLAUDE_ENV_FILE:-}" ] || exit 0
+
+# Extract the startup session directory from CLAUDE_ENV_FILE
+STARTUP_DIR=$(dirname "$CLAUDE_ENV_FILE")
+ENV_BASE=$(dirname "$STARTUP_DIR")
+
+# Construct the resumed session directory
+RESUME_DIR="${ENV_BASE}/${SESSION_ID}"
+
+# If they're the same, no fix needed
+[ "$STARTUP_DIR" != "$RESUME_DIR" ] || exit 0
+
+# Create resumed session directory if missing
+mkdir -p "$RESUME_DIR"
+
+# Copy all env files from startup dir to resumed dir
+for envfile in "$STARTUP_DIR"/*.sh; do
+    [ -f "$envfile" ] || continue
+    BASENAME=$(basename "$envfile")
+    if [ ! -f "$RESUME_DIR/$BASENAME" ]; then
+        cp "$envfile" "$RESUME_DIR/$BASENAME"
+        echo "Copied env file to resumed session: $BASENAME" >&2
+    fi
+done
+
+exit 0

package/examples/session-state-saver.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 STATE_DIR="${HOME}/.claude"

package/examples/session-summary-stop.sh

@@ -17,6 +17,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 

package/examples/session-summary.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 echo "" >&2
 echo "=== Session Summary ===" >&2
 BRANCH=$(git branch --show-current 2>/dev/null)

package/examples/session-token-counter.sh

@@ -24,6 +24,8 @@
 #   CC_TOOL_WARN_100  — threshold 1 (default: 100)
 #   CC_TOOL_WARN_200  — threshold 2 (default: 200)
 #   CC_TOOL_WARN_500  — threshold 3 (default: 500)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)

package/examples/settings-auto-backup.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+# ================================================================
+# settings-auto-backup.sh — Auto-backup settings on session start
+# ================================================================
+# PURPOSE:
+#   Claude Code auto-updates have been observed silently wiping
+#   settings.json, settings.local.json, and plugin state. (#40714)
+#   This hook creates rolling backups on every session start and
+#   warns if settings appear to have been reset.
+#
+# TRIGGER: Notification
+# MATCHER: "SessionStart"
+#
+# BACKUPS: ~/.claude/settings-backups/
+# ================================================================
+
+BACKUP_DIR="$HOME/.claude/settings-backups"
+mkdir -p "$BACKUP_DIR"
+
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+BACKED_UP=0
+
+# Backup settings files
+for f in settings.json settings.local.json; do
+    SRC="$HOME/.claude/$f"
+    if [ -f "$SRC" ] && [ -s "$SRC" ]; then
+        cp "$SRC" "$BACKUP_DIR/${f%.json}-${TIMESTAMP}.json"
+        BACKED_UP=$((BACKED_UP + 1))
+    fi
+done
+
+# Keep only last 10 backups per file type
+for prefix in settings settings.local; do
+    ls -t "$BACKUP_DIR/${prefix}-"*.json 2>/dev/null | tail -n +11 | xargs rm -f 2>/dev/null
+done
+
+# Detect suspicious settings reset
+SETTINGS="$HOME/.claude/settings.json"
+if [ -f "$SETTINGS" ]; then
+    KEY_COUNT=$(jq 'keys | length' "$SETTINGS" 2>/dev/null || echo 0)
+    if [ "$KEY_COUNT" -le 1 ]; then
+        LATEST_BACKUP=$(ls -t "$BACKUP_DIR/settings-"*.json 2>/dev/null | head -2 | tail -1)
+        if [ -n "$LATEST_BACKUP" ]; then
+            BACKUP_KEYS=$(jq 'keys | length' "$LATEST_BACKUP" 2>/dev/null || echo 0)
+            if [ "$BACKUP_KEYS" -gt "$KEY_COUNT" ]; then
+                echo "⚠ Settings may have been reset ($KEY_COUNT keys vs $BACKUP_KEYS in backup)" >&2
+                echo "  Restore: cp '$LATEST_BACKUP' '$SETTINGS'" >&2
+            fi
+        fi
+    fi
+fi
+
+exit 0

package/examples/settings-mutation-detector.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# settings-mutation-detector.sh — Detect unauthorized changes to Claude settings files
+#
+# Solves: Claude Code can modify its own settings files during
+#         a session, potentially disabling safety hooks or
+#         changing permissions without user awareness.
+#
+# How it works: On first run, takes a hash of key settings files.
+#   On subsequent runs, compares the current hash. If changed,
+#   warns the user. This catches silent permission escalation
+#   or hook removal.
+#
+# TRIGGER: PostToolUse
+# MATCHER: ""
+
+set -euo pipefail
+
+HASH_FILE="/tmp/claude-settings-hash-$$"
+
+# Files to monitor
+SETTINGS_FILES=""
+for f in \
+  ".claude/settings.json" \
+  ".claude/settings.local.json" \
+  "${HOME}/.claude/settings.json" \
+  "${HOME}/.claude/settings.local.json"; do
+  [ -f "$f" ] && SETTINGS_FILES="$SETTINGS_FILES $f"
+done
+
+[ -z "$SETTINGS_FILES" ] && exit 0
+
+# Calculate current hash
+CURRENT_HASH=$(cat $SETTINGS_FILES 2>/dev/null | md5sum | cut -d' ' -f1)
+
+if [ -f "$HASH_FILE" ]; then
+  PREV_HASH=$(cat "$HASH_FILE")
+  if [ "$CURRENT_HASH" != "$PREV_HASH" ]; then
+    echo "WARNING: Claude settings files were modified during this session!" >&2
+    echo "  Files monitored: $SETTINGS_FILES" >&2
+    echo "  Review changes to ensure hooks and permissions are intact." >&2
+  fi
+fi
+
+echo "$CURRENT_HASH" > "$HASH_FILE"
+exit 0

package/examples/shell-wrapper-guard.sh

@@ -13,6 +13,8 @@
 # This hook unwraps interpreter one-liners and checks the inner command.
 #
 # Usage: PreToolUse hook on "Bash"
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/skill-gate.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 [[ "$TOOL" != "Skill" ]] && exit 0

package/examples/skill-injection-detector.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# skill-injection-detector.sh — Detect silently injected skills/plugins
+#
+# Solves: Skills and plugins from claude.ai silently injected into Claude Code
+#         sessions (#39686). External tool definitions bloat context and
+#         can override local behavior without user awareness.
+#
+# How it works: Notification hook that monitors for unexpected skill/plugin
+#   loading messages. Warns when tools are loaded from external sources.
+#   Also checks MCP config for unexpected servers.
+#
+# TRIGGER: PreToolUse
+# MATCHER: ""
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Check MCP tool calls for unexpected servers
+if [ "$TOOL" = "Bash" ]; then
+  COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+  # Detect MCP server addition
+  if echo "$COMMAND" | grep -qE 'claude\s+mcp\s+add'; then
+    echo "WARNING: MCP server addition detected." >&2
+    echo "Command: $COMMAND" >&2
+    echo "Verify this server is expected before proceeding." >&2
+  fi
+fi
+
+# Check for skill/plugin invocation from unexpected sources
+if echo "$INPUT" | jq -e '.tool_input.skill // empty' 2>/dev/null | grep -qv '^$'; then
+  SKILL=$(echo "$INPUT" | jq -r '.tool_input.skill' 2>/dev/null)
+  # Check if skill is local
+  if [ ! -f ".claude/skills/${SKILL}/SKILL.md" ] && [ ! -f ".claude/skills/${SKILL}.md" ]; then
+    echo "WARNING: Skill '$SKILL' invoked but not found locally." >&2
+    echo "This may be an externally injected skill." >&2
+  fi
+fi
+
+exit 0