Fix shell-form injection in Claude Code plugin hooks by using exec-form args
Claude Code Changelog v2.1.207 (July 11, 2026)·medium signal
Claude Code 2.1.207 (July 11) patched plugin hooks and monitors that interpolated user_config values in shell form — a command-injection vector via plugin option values. The fix and the guidance: use exec form (an args array) or the CLAUDE_PLUGIN_OPTION_<KEY> env vars instead of string-interpolating config into a shell command. If you author Claude Code plugins, audit every hook that builds a shell string from user-supplied config.