docs: minor script and documentation improvements from security review

Address four low-priority improvements identified during security review:

1. Add chmod reminder to hook-development SKILL.md - users copying example
   scripts encounter permission errors; added note to make scripts executable

2. Parameterize plugin name in read-settings-hook.sh - replaced hardcoded
   "my-plugin" with ${PLUGIN_NAME:-my-plugin} pattern to teach portable hooks

3. Add timeout to jq validation in test-hook.sh - maintains defensive
   consistency with other timeout patterns in the script

4. Document race condition behavior in parse-frontmatter.sh - clarifies that
   settings files are assumed stable (changes require Claude Code restart)

Fixes #163

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: sjnims

plugins/plugin-dev/skills/hook-development/SKILL.md

@@ -689,6 +689,8 @@ For detailed patterns and advanced techniques, consult:
 
 Working examples in `examples/`:
 
+> **Note:** After copying example scripts, make them executable: `chmod +x script.sh`
+
 - **`validate-write.sh`** - File write validation example
 - **`validate-bash.sh`** - Bash command validation example
 - **`load-context.sh`** - SessionStart context loading example

plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh

@@ -169,8 +169,8 @@ if [[ "$TEST_INPUT" =~ [\;\|\&\`\$\(\)\{\}\<\>] ]]; then
   exit 1
 fi
 
-# Validate test input JSON
-if ! jq empty "$TEST_INPUT" 2>/dev/null; then
+# Validate test input JSON (with timeout for defensive consistency)
+if ! timeout 5 jq empty "$TEST_INPUT" 2>/dev/null; then
   echo "❌ Error: Test input is not valid JSON"
   exit 1
 fi

plugins/plugin-dev/skills/plugin-settings/examples/read-settings-hook.sh

@@ -1,11 +1,13 @@
 #!/bin/bash
-# Example hook that reads plugin settings from .claude/my-plugin.local.md
+# Example hook that reads plugin settings from .claude/<plugin>.local.md
 # Demonstrates the complete pattern for settings-driven hook behavior
 
 set -euo pipefail
 
-# Define settings file path
-SETTINGS_FILE=".claude/my-plugin.local.md"
+# Define settings file path using environment variable with default
+# This allows the plugin name to be configured externally if needed
+PLUGIN_NAME="${PLUGIN_NAME:-my-plugin}"
+SETTINGS_FILE=".claude/${PLUGIN_NAME}.local.md"
 
 # Quick exit if settings file doesn't exist
 if [[ ! -f "$SETTINGS_FILE" ]]; then

plugins/plugin-dev/skills/plugin-settings/scripts/parse-frontmatter.sh

@@ -1,6 +1,10 @@
 #!/bin/bash
 # Frontmatter Parser Utility
 # Extracts YAML frontmatter from .local.md files
+#
+# Note: This script assumes the settings file is stable (not being written to).
+# Settings changes require a Claude Code restart to take effect, so there's no
+# need for file locking in normal usage.
 
 set -euo pipefail