security-hook-blocks-literal-exec-eval-tokens-in-prose
The security_reminder_hook triggers on literal exec( and eval( token strings even when they appear in documentation, handoff documents, or prose describing the hook itself — a recurring meta-recursion false positive. Any non-code content (skill files, handoffs, session-close reports) that mentions these tokens by exact spelling will be blocked. Workaround is descriptive language: ‘the eval function’, ‘runtime execution’, or ‘dynamic invocation’ instead of the literal token.