claude-code-complete-agent/hooks/pre-tool-use.sh

#!/bin/bash
# PreToolUse hook: Block dangerous shell commands before execution.
#
# This hook reads the tool input from stdin (JSON with tool_name and tool_input)
# and blocks commands that could cause serious damage.
#
# How it works:
# - Claude Code calls this script BEFORE executing any Bash command
# - If the script exits with code 2, the command is BLOCKED
# - The "decision" field in stdout JSON controls the outcome
#
# OpenClaw equivalent: exec approvals + tool deny lists + Docker sandbox
# Claude Code approach: hook-based guardrails (more flexible, user-controlled)

input=$(cat)
tool_name=$(echo "$input" | python3 -c "import sys,json; print(json.load(sys.stdin).get('tool_name',''))" 2>/dev/null)
command=$(echo "$input" | python3 -c "import sys,json; print(json.load(sys.stdin).get('tool_input',{}).get('command',''))" 2>/dev/null)

# Only check Bash commands
if [ "$tool_name" != "Bash" ]; then
  exit 0
fi

# Blocked patterns
blocked_patterns=(
  "rm -rf /"
  "rm -rf ~"
  "rm -rf \$HOME"
  "mkfs"
  "dd if="
  ":(){:|:&};:"
  "chmod -R 777 /"
  "curl.*|.*bash"
  "wget.*|.*bash"
  "curl.*|.*sh"
  "wget.*|.*sh"
  "> /dev/sda"
  "sudo rm"
  "shutdown"
  "reboot"
  "init 0"
  "init 6"
)

for pattern in "${blocked_patterns[@]}"; do
  if echo "$command" | grep -qi "$pattern"; then
    echo '{"decision": "block", "reason": "Blocked by security hook: command matches dangerous pattern '"'$pattern'"'"}'
    exit 2
  fi
done

# Allow everything else
exit 0