Hook◉ Verified

disler-hooks-tts

Provides AI-generated text-to-speech audio feedback, prompt validation, security controls, and session logging for Claude Code interactions.

/ 100 · Grade D

D = 60–69

“I need to enhance my Claude Code sessions with audio feedback, validate and improve my prompts, add security controls before tool usage, and maintain structured logs of my interactions.”

audiosecurityvalidationloggingAI-assistance

Publisher: dislerVersion: latestCertified: Mar 28, 2026Expires: Mar 28, 2027Source ↗

disler-hooks-tts earned Verified status with a trust score of 71/100 (Grade D). Adversarial testing produced 9 findings (1 critical, 7 high, 1 medium). Security scan flagged 0 findings. Tier is Verified rather than Certified due to unmitigated findings above severity thresholds.

Trust Score Breakdown

Eight weighted signals composing the aggregate trust score

security scan

100% × 15w

15.0

supply chain

100% × 10w

10.0

adversarial

0% × 25w

0.0

provenance

80% × 20w

16.0

consumer confirm

100% × 10w

10.0

behavioral pass

100% × 10w

10.0

contract accuracy

100% × 6w

6.0

uptime

100% × 4w

4.0

Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.

Findings

Security scan results, adversarial testing, and pipeline review

Security Scan — Cisco Skill Scanner

cisco-skill-scannerFAIL

staticbehavioralllmmeta

critical: 0high: 0medium: 0low: 0

Adversarial Testing — 6 categories, 9 findings

prompt injection chainsprivilege escalationdata exfiltration side channelscapability squattingcontext poisoningdependency confusion

highReviewprompt injection chainssuspected

The notification.py hook processes user-provided messages and incorporates them into TTS announcements. While the current implementation only uses predefined messages, the structure accepts arbitrary message content from input_data.get('message') and could be extended to process user content. The hook lacks explicit data boundary markers around user content references, creating potential for instruction injection if the message processing is expanded.

highWarnprompt injection chainsconfirmed

Several hooks execute shell commands using subprocess.run with user-controlled parameters. The notification.py hook executes TTS scripts with user-provided message content as arguments, and other hooks execute uv commands with paths that could be influenced by user input through environment variables like $CLAUDE_PROJECT_DIR. While some validation exists in permission_request.py for safe bash commands, the actual execution paths in hooks don't consistently apply these protections.

highWarnprivilege escalationconfirmed

The skill grants extensive bash permissions including 'Bash(chmod:*)' which allows arbitrary file permission modifications. Multiple hook scripts are executed automatically at various lifecycle events (PreToolUse, PostToolUse, SessionStart, etc.) with these elevated permissions. This creates a concrete attack surface where malicious hook scripts could modify file permissions system-wide.

highReviewprivilege escalationsuspected

The notification hook script accesses environment variables (ELEVENLABS_API_KEY, OPENAI_API_KEY, ENGINEER_NAME) and executes external TTS scripts. While the current implementation appears to only read these variables, the broad bash permissions combined with automatic hook execution could enable system-level modifications if the hook scripts were compromised or modified.

mediumReviewdata exfiltration side channelsconfirmed

The skill implements extensive logging across multiple hooks that capture and store tool inputs, outputs, and intermediate data. The pre_tool_use.py, post_tool_use.py, permission_request.py, and other hooks log complete tool inputs and outputs to JSON files. This logging could expose sensitive data like file contents, command outputs, API responses, or user inputs that pass through the system.

criticalWarndata exfiltration side channelsconfirmed

While the pre_tool_use.py hook correctly blocks direct access to .env files, the comprehensive logging system captures all tool inputs and outputs. If a tool somehow accesses credential files or environment variables, this data would be logged to the JSON files. Additionally, the permission_request.py logs all permission requests including tool inputs that might contain credential-related commands.

highWarncapability squattingconfirmed

The skill contains multiple conditional statements that reference system environment variables and state that users wouldn't anticipate. The notification.py script uses conditional logic based on ENGINEER_NAME environment variable and random probability (30% chance) to modify behavior. The get_tts_script_path() function conditionally selects TTS providers based on API key environment variables (ELEVENLABS_API_KEY, OPENAI_API_KEY) without documenting this behavior in the skill's declared scope.

highWarncontext poisoningconfirmed

The notification hook implements persistent TTS behavior that announces 'Your agent needs your input' across all sessions without explicit termination conditions or scope boundaries. The behavior persists beyond individual tasks and affects all future agent interactions.

highWarndependency confusionconfirmed

The skill extensively uses 'uv run' commands to execute Python scripts with dependencies specified inline via script metadata, but these dependencies are not declared in the skill's dependency list. Multiple scripts use packages like 'python-dotenv' that are installed at runtime without being in the declared dependencies.

Methodology v1.0 · 6 categories · ~55 attack patterns

Interface

Skill triggers and instruction summary

Activation

Binds to lifecycle events: PreToolUse, PostToolUse, Notification, Stop, SubagentStop, UserPromptSubmit, PreCompact, SessionStart, SessionEnd, PermissionRequest, PostToolUseFailure, SubagentStart, Setup

Hook configuration with 13 handler(s)

Instructions: 13Files: 23Format: hook_json