open/claude-code-complete-agent
1
0
Fork 0
Code Activity Actions
claude-code-complete-agent/hooks/README.md
Kjell Tore Guttormsen 841cd32c66 feat(security): harden repo with scoped permissions, CVE mapping, and scan evidence 
Settings.json: 16 scoped Bash grants (was 6 wildcards), 26-pattern deny list (was 5).
CVE mapping: all 9 OpenClaw CVEs mapped to specific defenses with layer documentation.
Scan results: posture Grade D (expected without llm-security), deep scan 0 critical/high.
Hooks README: Option A — document llm-security hooks, recommend plugin installation.
README: evidence-based security section with scan data and verification instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-05 23:58:59 +02:00

4.5 KiB
Raw Blame History

Hooks

Claude Code hooks are shell scripts or HTTP endpoints that run before or after tool execution. They are the primary runtime security mechanism, equivalent to OpenClaw's exec approvals and Docker sandboxing.

Files in this directory

File Hook event Purpose
pre-tool-use.sh PreToolUse Blocks dangerous shell commands (educational demo)
post-tool-use.sh PostToolUse Logs all tool executions (educational demo)
audit.log (generated) Append-only audit trail

These scripts demonstrate the hook mechanism with basic pattern matching. For production use, see the next section.

Production hooks: llm-security plugin

The llm-security plugin provides 8 production-grade hooks that cover the OpenClaw CVEs documented in security/cve-mitigation-map.md:

Hook Event CVE coverage
pre-prompt-inject-scan.mjs UserPromptSubmit CVE-2026-30741 (prompt injection to RCE)
pre-edit-secrets.mjs PreToolUse (Edit/Write) Credential exfiltration prevention
pre-bash-destructive.mjs PreToolUse (Bash) CVE-2026-32048 (sandbox escape), CVE-2026-32032 (shell injection)
pre-install-supply-chain.mjs PreToolUse (Bash) Supply chain attacks (ClawHub malware equivalent)
pre-write-pathguard.mjs PreToolUse (Write) CVE-2026-22171 (path traversal/file write)
post-mcp-verify.mjs PostToolUse (all) CVE-2026-29607 (approval bypass via output injection)
post-session-guard.mjs PostToolUse (all) Runtime trifecta detection (untrusted input + data access + exfiltration)
update-check.mjs UserPromptSubmit Version currency

Key differences from the demo hooks in this directory:

Aspect Demo hooks (this repo) llm-security hooks
Language Bash (grep-based) Node.js (cross-platform)
Detection Simple pattern matching Regex, Levenshtein distance, taint tracing
Coverage Bash commands only All tool types + MCP output + prompts
Supply chain Not covered 7 package managers, OSV.dev, typosquat detection
Prompt injection Not covered 3-layer defense (input, output, session pattern)

Installing llm-security

# In your Claude Code settings (~/.claude/settings.json):
{
  "enabledPlugins": {
    "llm-security@plugin-marketplace": true
  }
}

Or clone standalone:

git clone https://git.fromaitochitta.com/open/claude-code-llm-security.git \
  ~/.claude/plugins/llm-security

How hooks work

Hooks are configured in .claude/settings.json:

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "Bash",
      "hooks": [{
        "type": "command",
        "command": "bash hooks/pre-tool-use.sh"
      }]
    }]
  }
}

PreToolUse

Runs before a tool executes. The script receives JSON on stdin with tool_name and tool_input. Return decisions:

  • Exit 0: allow (no output needed)
  • Exit 2 + JSON {"decision": "block", "reason": "..."}: block the tool call

PostToolUse

Runs after a tool executes. Same stdin format plus tool_output. Cannot block (already executed). Use for logging, notifications, or triggering follow-up actions.

Other hook events

Event When it fires
SessionStart When Claude Code launches
UserPromptSubmit Before processing user input
PreToolUse Before a tool executes
PostToolUse After a tool executes
Stop When Claude Code finishes a response
SubagentStop When a subagent completes
Notification When Claude Code shows a notification

Comparison to OpenClaw

Feature OpenClaw Claude Code
Exec blocking /approve command + DM pairing PreToolUse hooks
Audit logging command-logger hook PostToolUse hooks
Tool deny lists Per-session/agent config settings.json deny + hooks
Container isolation Docker sandbox (off/non-main/all) macOS sandbox-exec (optional)
Policy engine NemoClaw YAML policies Hook scripts (any logic)
Prompt injection Tool policy validation (bypassed: CVE-2026-29607, 28460) Multi-layer hooks (input + output + session)
Supply chain Manual review (824 malicious skills found) Automated scanning (7 package managers)

Claude Code hooks are more flexible (arbitrary shell logic) but require more setup. OpenClaw's approach is more structured but has documented enforcement gaps.