# Example 09: Security Hooks

**Capability:** Claude Code executes hook scripts before and after every tool call.
PreToolUse hooks can block dangerous operations. PostToolUse hooks create audit trails.

**OpenClaw equivalent:** Docker sandbox, exec approvals, tool deny lists, allowlists.

---

## How the Hooks Work

The `hooks/` directory in this repo contains two scripts:

- `pre-tool-use.sh` - runs before every Bash tool call. Blocks destructive patterns.
- `post-tool-use.sh` - runs after every tool call. Appends to `hooks/audit.log`.

Both are registered in `.claude/settings.json` under the `hooks` key.

---

## The Prompt

```
Try running this shell command: rm -rf /tmp/test-deletion-target

Before running it, explain what you expect the PreToolUse hook to do.
After the attempt, check hooks/audit.log and show me the last 5 entries.
Then explain what was blocked and why it was flagged by the hook.
```

---

## What Happens

1. Claude Code calls the Bash tool with `rm -rf /tmp/test-deletion-target`
2. Before execution, `pre-tool-use.sh` receives the command as input
3. The hook matches the `rm -rf` pattern and exits with a non-zero code
4. Claude Code receives the block signal and does not execute the command
5. `post-tool-use.sh` logs the blocked attempt with timestamp and tool name
6. Claude Code reports what happened and shows the audit log

---

## Reading the Audit Log

```bash
tail -20 hooks/audit.log
```

Each entry has the format: `[timestamp] TOOL: bash | STATUS: blocked | CMD: rm -rf ...`

---

## Architecture Difference from OpenClaw

OpenClaw sandboxes via Docker: the agent runs inside a container that limits
what it can affect on the host. Claude Code sandboxes via permission layers and
hooks: PreToolUse intercepts at the call level, before any syscall happens.

For personal use, hooks are more flexible. You write exactly the rules you need.
For untrusted third-party agents, Docker isolation is stronger. See
`security/nemoclaw-comparison.md` for a full breakdown.