sec: shell/SQLi via agent name in hooks.ts

[Ridgeio]

Summary

Agent names pass unescaped through installClaudeCodeHook() in src/hooks.ts into both a shell assignment and a sqlite SQL statement. A name containing " breaks out of the shell assignment; a name containing ' OR 1=1 -- can alter the hook's sqlite queries.

Evidence

• src/hooks.ts:113 — SWARM_AGENT_NAME="${agentName}" ... written with no shell escaping.
• src/hooks.ts:71 — generated hook interpolates \$AGENT_NAME directly into sqlite SQL.
• Entry path: swarm join <name> (headless) → installHook(host, name) via src/index.ts:84.

Impact

Arbitrary shell command execution and SQL manipulation via a crafted agent name. Any operator who runs swarm join "<malicious-name>" or receives a crafted name through a shared swarm setup is exposed.

Fix sketch

Validate agent names at registration time (e.g. ^[A-Za-z0-9_-]{1,64}$), and defense-in-depth: properly shell-quote in hook file generation and use parameterized sqlite calls in the hook script.

Context

Surfaced by codex challenge during review of PR #1 (lazy-reap). Out of scope for that PR — filing here per Lead.