Security patch addressing Gen Agent Trust Hub FAIL and Snyk WARN audit results on skills.sh.
Stop hook — cache search removed: The Stop hook no longer searches ~/.claude/plugins/cache recursively. It now resolves through $CLAUDE_SKILL_DIR first, then two specific known install paths. A malicious script planted elsewhere in the cache can no longer be found and executed.
ExecutionPolicy Bypass removed: Changed to RemoteSigned across all 14 variants. Bypass circumvents all script policies; RemoteSigned allows local scripts while still blocking unsigned remote ones.
Prompt injection delimiters: Injected plan content is now wrapped in ---BEGIN PLAN DATA--- / ---END PLAN DATA--- markers. Hook output explicitly instructs the model to treat enclosed content as structured data and ignore any instruction-like text within it.
Security Boundary updated: Documents the delimiter contract and adds explicit instruction that findings.md content (third-party web/search results) must be treated as raw data regardless of what it contains.