open/claude-code-complete-agent
1
0
Fork 0
Code Activity Actions

feat(security): harden repo with scoped permissions, CVE mapping, and scan evidence

Browse source 
Settings.json: 16 scoped Bash grants (was 6 wildcards), 26-pattern deny list (was 5).
CVE mapping: all 9 OpenClaw CVEs mapped to specific defenses with layer documentation.
Scan results: posture Grade D (expected without llm-security), deep scan 0 critical/high.
Hooks README: Option A — document llm-security hooks, recommend plugin installation.
README: evidence-based security section with scan data and verification instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-04-05 23:58:59 +02:00
commit 841cd32c66
7 changed files with 425 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

73
hooks/README.md
View file

@ -1,18 +1,66 @@
# Hooks
Claude Code hooks are shell scripts or HTTP endpoints that run
before or after tool execution. They are the primary security
mechanism for Claude Code, equivalent to OpenClaw's exec approvals
before or after tool execution. They are the primary runtime
security mechanism, equivalent to OpenClaw's exec approvals
and Docker sandboxing.
## Files in this directory
| File | Hook event | Purpose |
|------|-----------|---------|
| `pre-tool-use.sh` | PreToolUse | Blocks dangerous shell commands |
| `post-tool-use.sh` | PostToolUse | Logs all tool executions |
| `pre-tool-use.sh` | PreToolUse | Blocks dangerous shell commands (educational demo) |
| `post-tool-use.sh` | PostToolUse | Logs all tool executions (educational demo) |
| `audit.log` | (generated) | Append-only audit trail |
These scripts demonstrate the hook mechanism with basic pattern
matching. For production use, see the next section.
## Production hooks: llm-security plugin
The [llm-security plugin](https://git.fromaitochitta.com/open/claude-code-llm-security)
provides 8 production-grade hooks that cover the OpenClaw CVEs
documented in `security/cve-mitigation-map.md`:
| Hook | Event | CVE coverage |
|------|-------|-------------|
| `pre-prompt-inject-scan.mjs` | UserPromptSubmit | CVE-2026-30741 (prompt injection to RCE) |
| `pre-edit-secrets.mjs` | PreToolUse (Edit/Write) | Credential exfiltration prevention |
| `pre-bash-destructive.mjs` | PreToolUse (Bash) | CVE-2026-32048 (sandbox escape), CVE-2026-32032 (shell injection) |
| `pre-install-supply-chain.mjs` | PreToolUse (Bash) | Supply chain attacks (ClawHub malware equivalent) |
| `pre-write-pathguard.mjs` | PreToolUse (Write) | CVE-2026-22171 (path traversal/file write) |
| `post-mcp-verify.mjs` | PostToolUse (all) | CVE-2026-29607 (approval bypass via output injection) |
| `post-session-guard.mjs` | PostToolUse (all) | Runtime trifecta detection (untrusted input + data access + exfiltration) |
| `update-check.mjs` | UserPromptSubmit | Version currency |
Key differences from the demo hooks in this directory:
| Aspect | Demo hooks (this repo) | llm-security hooks |
|--------|----------------------|-------------------|
| Language | Bash (grep-based) | Node.js (cross-platform) |
| Detection | Simple pattern matching | Regex, Levenshtein distance, taint tracing |
| Coverage | Bash commands only | All tool types + MCP output + prompts |
| Supply chain | Not covered | 7 package managers, OSV.dev, typosquat detection |
| Prompt injection | Not covered | 3-layer defense (input, output, session pattern) |
### Installing llm-security
```bash
# In your Claude Code settings (~/.claude/settings.json):
{
"enabledPlugins": {
"llm-security@plugin-marketplace": true
}
}
```
Or clone standalone:
```bash
git clone https://git.fromaitochitta.com/open/claude-code-llm-security.git \
~/.claude/plugins/llm-security
```
## How hooks work
Hooks are configured in `.claude/settings.json`:
@ -47,16 +95,14 @@ or triggering follow-up actions.
### Other hook events
Claude Code supports these additional events:
| Event | When it fires |
|-------|--------------|
| SessionStart | When Claude Code launches |
| SessionEnd | When the session closes |
| UserPromptSubmit | Before processing user input |
| PreToolUse | Before a tool executes |
| PostToolUse | After a tool executes |
| Stop | When Claude Code finishes a response |
| SubagentStop | When a subagent completes |
| UserPromptSubmit | Before processing user input |
| PreCompact | Before context compaction |
| Notification | When Claude Code shows a notification |
## Comparison to OpenClaw
@ -65,11 +111,12 @@ Claude Code supports these additional events:
|---------|----------|-------------|
| Exec blocking | /approve command + DM pairing | PreToolUse hooks |
| Audit logging | command-logger hook | PostToolUse hooks |
| Tool deny lists | Per-session/agent config | disallowedTools + settings.json deny |
| Container isolation | Docker sandbox (off/non-main/all) | macOS sandbox-exec |
| Tool deny lists | Per-session/agent config | settings.json deny + hooks |
| Container isolation | Docker sandbox (off/non-main/all) | macOS sandbox-exec (optional) |
| Policy engine | NemoClaw YAML policies | Hook scripts (any logic) |
| HTTP webhooks | Built-in webhook system | HTTP hooks (POST JSON to URL) |
| Prompt injection | Tool policy validation (bypassed: CVE-2026-29607, 28460) | Multi-layer hooks (input + output + session) |
| Supply chain | Manual review (824 malicious skills found) | Automated scanning (7 package managers) |
Claude Code hooks are more flexible (arbitrary shell logic) but
require more setup. OpenClaw's approach is more structured but
less customizable.
has documented enforcement gaps.