Security hooks for Claude Code. Blocks dangerous commands, sensitive file access, force-pushes, and supply-chain attacks before they execute.
Fail-closed on crash. Curated threat catalog. Pure stdlib — no runtime dependencies beyond python3 and jq.
Supply chain (Bash)
npm install/pnpm add/yarn addof known-malicious or typosquatted packages (harddeny)pip install/uv addof pypi packages with known compromises (harddeny)- Pinned versions affected by a known CVE — checked against OSV (hard
deny) - Unpinned installs of packages with historical CVE records — soft
askto nudge pinning curl ... | shand similar pipe-to-shell patterns from untrusted hosts
Sensitive paths (Read / Write / Edit / MultiEdit / NotebookEdit)
~/.ssh/,~/.aws/,~/.gnupg/,~/.netrc,~/.pypirc,~/.docker/config.json,~/.config/gcloud/,/etc/shadow,/etc/sudoers- Any
.env*, SSH private keys,.npmrc,.pgpass,credentials.json,terraform.tfvars*matched by basename anywhere in the tree - Any file with extension
.pem,.key,.p12,.pfx(private keys and PKCS#12 bundles). Public-cert formats.crt/.cer/.csrintentionally remain allowed — they are not secrets.
Git footguns (Bash)
git push --force/-f(allows--force-with-lease, the safe variant)git reset --hardgit branch -D main/mastergit clean -f/-fd
Exfiltration (Bash)
- Outbound to
transfer.sh,webhook.site,ngrok.io, and known C2 hosts - Known IOCs from real incidents (Postmark MCP, etc.)
Each rule returns one of three outcomes — borrowed from the underlying Claude Code hook protocol:
| Outcome | When | Effect |
|---|---|---|
allow (silent) |
No rule matched | Tool call proceeds normally |
ask |
Soft warning (e.g. unpinned package has historical CVEs) | Claude Code prompts the user — proceed if intentional, decline otherwise |
deny |
Hard block (typosquats, sensitive paths, known affected versions, footguns) | Tool call is rejected with a permissionDecisionReason explaining what triggered it |
# Add the Nodox Studio marketplace
/plugin marketplace add nodox-studio/claukit
# Install the plugin
/plugin install claukit@nodox-studioThe hooks are active immediately. No settings.json patching, no installer script, no manual steps.
After install, run /plugin list and confirm claukit is enabled. Then try a benign block to confirm the hook fires:
Run "git push --force origin main"
Claude should refuse with a permissionDecisionReason from git-safety.sh. If it doesn't, the hooks aren't loading — see troubleshooting.
- Claude Code with
/pluginsupport python3≥ 3.7 (usesfrom __future__ import annotationsfor forward-compat with PEP 604 syntax)jq(used bygit-safety.shfor JSON parsing — exits silently if missing, so the hook is defense-in-depth, not the only line)
- Fail-closed on crash. A guard that crashes silently is worse than no guard — it gives false confidence. If the Python script throws or the bash script errors, the tool call is denied with a clear reason.
- Curated, not heuristic. The threat catalog lists real IOCs from real incidents (Postmark, typosquats of
request,colors, etc.). No fuzzy ML, no false-positive theatre. - No state. Hooks read stdin, decide, exit. No log files in your home, no telemetry, no network unless explicitly checking a package registry.
- One responsibility per file.
claukit-guard.pyhandles paths + supply chain + content scanning.git-safety.shhandles git footguns. Each is auditable in one read.
See docs/SECURITY-PATTERNS.md for the full hook shipping protocol and the rules each detector enforces.
| Variable | Effect |
|---|---|
CLAUKIT_OFFLINE=1 |
Skip all OSV network queries. Useful in air-gapped environments or to make CI runs deterministic. Local detection rules (typosquats, sensitive paths, git footguns) still run. |
Hooks not firing:
/plugin list # is claukit enabled?
claude plugin validate ~/Code/claukit # is the manifest valid?
/reload-plugins # force reload after a manifest editVerify the hook scripts run cleanly outside Claude:
echo '{"tool_name":"Bash","tool_input":{"command":"git push --force"}}' \
| ~/.claude/plugins/cache/<...>/claukit/hooks/git-safety.shA deny JSON response confirms the hook is functional.
MIT — see LICENSE.
See SECURITY.md for vulnerability disclosure.