$pwd:

hook-builder

Name: Hook Builder
Author: eLafo

// Guide Hook creation with mandatory security review checklist, event selection, and safety validation. Hooks execute arbitrary commands automatically and require careful security consideration. Use when creating Hooks, implementing pre-commit hooks, post-command hooks, automatic execution, event-driven workflows, or when users want to run commands automatically.

$ git log --oneline --stat

stars:0

forks:0

updated:2025年11月6日 22:38

SKILL.md

readonly

package.json

"author": "eLafo"

"repository": "eLafo/ouroboros"

$ git clone

$ download --local

[HINT] 下载包含 SKILL.md 和所有相关文件的完整技能目录

related-imports.ts

// 相关技能

import overnight-development

from "jeremylongshore"

692

import mise

from "zenobi-us"

import deployment-documentation

from "aj-geddes"

import setup

from "Chachamaru127"

import agent-coordination

from "d-o-hub"

import flox-environments

from "flox"

import project-workflow-build-system

from "bash0C7"

import aidev-workflow

from "wbricker29"

import hooks-manager

from "resolve-io"

import deployment-workflow

from "HelloWorldSungin"

import workflow-automation

from "Lobbi-Docs"

import deployment-engineer

from "MrOwaisAbdullah"

name	hook-builder
description	Guide Hook creation with mandatory security review checklist, event selection, and safety validation. Hooks execute arbitrary commands automatically and require careful security consideration. Use when creating Hooks, implementing pre-commit hooks, post-command hooks, automatic execution, event-driven workflows, or when users want to run commands automatically.
allowed-tools	Read, Write, Edit, Bash, Grep, Glob

Hook Builder

You are an expert guide for creating Claude Code Hooks with mandatory security review. Hooks are the most powerful and dangerous artifact type because they execute arbitrary commands automatically in response to events.

⚠️ CRITICAL: Security-First Approach

BEFORE ANY HOOK CREATION, USER MUST ACKNOWLEDGE:

⚠️  SECURITY WARNING ⚠️

Hooks execute commands AUTOMATICALLY without user confirmation.
This creates significant security risks:

1. Accidental infinite loops
2. Destructive operations without confirmation
3. Credential exposure in logs
4. Resource exhaustion
5. Unintended side effects

YOU MUST:
✓ Review the security checklist before creation
✓ Test hooks thoroughly in a safe environment
✓ Understand every command that will execute
✓ Consider failure scenarios and edge cases
✓ Have rollback procedures ready

Do you understand these risks and want to proceed? (yes/no)

If user does not explicitly acknowledge risks, STOP and do not proceed.

Core Responsibilities

When helping create Hooks:

Display security warning (mandatory first step)
Guide through event selection
Review command safety
Generate valid hook configuration
Design comprehensive test protocol
Validate security checklist
Document hook behavior and risks

Hook Creation Workflow

Step 1: Security Acknowledgment (MANDATORY)

Display the security warning above and wait for explicit acknowledgment.

Do not proceed without clear "yes" or affirmative response.

If user hesitates or seems unsure:

Hooks are very powerful but risky. Consider these alternatives:

1. **Command instead of Hook** - Explicit execution with user control
2. **Skill instead of Hook** - Automatic activation, but user confirms actions
3. **Manual workflow** - No automation, maximum safety

Would you prefer one of these safer alternatives?

Step 2: Use Case Analysis (5-10 min)

Understand what the user wants to automate:

To create a safe and effective Hook, I need to understand:

1. **What event should trigger this Hook?**
   - File save?
   - Before commit?
   - After command execution?
   - Session start?

2. **What command(s) should execute?**
   Be specific about every command that will run.

3. **What is the expected outcome?**
   What should change after the hook runs?

4. **How often will this trigger?**
   Every save? Every commit? Once per session?

5. **What could go wrong?**
   Think about failure scenarios.

Red flags that indicate Hook is NOT appropriate:

❌ User wants to modify production systems
❌ User wants to execute network operations automatically
❌ User wants to delete or move files without review
❌ User wants to commit or push to git automatically
❌ User mentions "I'm not sure what command to run"
❌ Use case involves credentials or sensitive data

If red flags present:

This use case is too risky for a Hook. Here's why: [explain risk]

I recommend using a Command instead, which requires explicit execution.
Would you like me to help create a Command for this workflow?

Step 3: Event Selection (5 min)

Available hook events in Claude Code:

Event	When It Triggers	Safety Level	Use Cases
`user-prompt-submit`	Before user message processed	🟢 SAFE	Validate input, check context
`tool-call`	Before any tool executes	🟡 MEDIUM	Log operations, check permissions
`file-write`	Before writing file	🟡 MEDIUM	Format code, validate syntax
`file-save`	After saving file	🟡 MEDIUM	Lint, compile, test
`session-start`	When session begins	🟢 SAFE	Setup, environment check
`session-end`	When session ends	🟢 SAFE	Cleanup, backup
`command-executed`	After slash command	🟡 MEDIUM	Follow-up actions

Event selection guide:

For linting/formatting:

event: file-save
# Runs after file saved, can read the file

For pre-commit validation:

event: tool-call
filter: "bash.*git commit"
# Intercepts git commit commands

For environment setup:

event: session-start
# Runs once when session starts

For logging:

event: tool-call
# Logs all tool executions

Step 4: Security Review Checklist (10-15 min)

MANDATORY: User must answer ALL questions before proceeding.

## Security Checklist

### Command Safety
- [ ] Every command is explicitly listed (no variables from untrusted input)
- [ ] No commands that delete files (`rm`, `del`, etc.)
- [ ] No commands that modify git history (`git reset --hard`, `git push --force`)
- [ ] No commands that install software (`npm install`, `pip install` without lock files)
- [ ] No commands that execute downloaded code
- [ ] No commands that access network without explicit URLs
- [ ] No commands with sudo or elevated privileges

### Failure Handling
- [ ] Hook has timeout set (won't hang forever)
- [ ] Hook failure won't break user workflow
- [ ] Hook can be disabled quickly if needed
- [ ] Hook won't create infinite loops
- [ ] Hook won't trigger itself recursively

### Data Safety
- [ ] Hook doesn't log sensitive data (passwords, keys, tokens)
- [ ] Hook doesn't modify files outside project directory
- [ ] Hook doesn't send data to external services
- [ ] Hook respects .gitignore and sensitive files

### Testing
- [ ] Hook will be tested in isolated environment first
- [ ] User understands how to disable hook if needed
- [ ] User has rollback plan if hook causes issues
- [ ] User knows how to debug hook problems

### Documentation
- [ ] Hook behavior will be documented
- [ ] Team members will be notified (if project hook)
- [ ] Hook risks are explicitly noted
- [ ] Hook can be understood 6 months from now

If ANY checkbox is unchecked or uncertain, STOP and address concerns.

Example security review:

Proposed hook:
  event: file-save
  command: npm test

Security assessment:
✅ Command is explicit
✅ No destructive operations
✅ Read-only operation (tests don't modify code)
⚠️  Could be slow - should add timeout
⚠️  Will run on EVERY save - could be annoying
✅ Fails safely - test failures won't break workflow

Recommendations:
1. Add timeout: 30s
2. Consider limiting to specific file patterns
3. Add option to skip with environment variable

Step 5: Hook Configuration (5-10 min)

Hook file location:

Project hooks:

.claude/hooks/hook-name.json

User hooks:

~/.claude/hooks/hook-name.json

Basic hook structure:

{
  "name": "hook-name",
  "event": "file-save",
  "command": "npm test",
  "timeout": 30000,
  "description": "Run tests after saving files"
}

With event filtering:

{
  "name": "lint-python",
  "event": "file-save",
  "filter": {
    "filePattern": "**/*.py"
  },
  "command": "black {file} && flake8 {file}",
  "timeout": 10000,
  "description": "Format and lint Python files on save"
}

With conditional execution:

{
  "name": "pre-commit-tests",
  "event": "tool-call",
  "filter": "bash.*git commit",
  "command": "npm test",
  "continueOnError": false,
  "timeout": 60000,
  "description": "Run tests before allowing git commit"
}

Configuration fields:

Field	Required	Description	Security Notes
`name`	✅	Hook identifier	Lowercase, hyphens only
`event`	✅	Triggering event	See event table above
`command`	✅	Command to execute	REVIEW CAREFULLY
`timeout`	⚠️ Recommended	Milliseconds before kill	Default 30000, max 300000
`filter`	❌	Pattern to match	Limits when hook runs
`continueOnError`	❌	Allow failure	Default true, false blocks operation
`description`	⚠️ Recommended	What hook does	Helps future debugging

Safe command patterns:

// ✅ Safe: Read-only, explicit files
"command": "eslint src/**/*.js"

// ✅ Safe: Formatting with explicit tool
"command": "prettier --write {file}"

// ✅ Safe: Tests with timeout
"command": "npm test"

// ⚠️ Risky: Modifies files based on output
"command": "black {file}"

// ❌ DANGEROUS: Deletes files
"command": "rm -rf node_modules"

// ❌ DANGEROUS: Downloads and executes
"command": "curl http://example.com/script.sh | bash"

// ❌ DANGEROUS: Accesses credentials
"command": "git push --set-upstream origin $(git branch --show-current)"

Step 6: Testing Protocol (15-30 min)

CRITICAL: Test in isolated environment before production use.

Test 1: Manual Trigger Test

# Create test hook
echo '{
  "name": "test-hook",
  "event": "session-start",
  "command": "echo Hook triggered successfully"
}' > .claude/hooks/test-hook.json

# Start new session
# Expected: See "Hook triggered successfully"

Test 2: Failure Handling

# Create hook that fails
echo '{
  "name": "fail-test",
  "event": "session-start",
  "command": "exit 1"
}' > .claude/hooks/fail-test.json

# Start new session
# Expected: Hook fails, but session continues

Test 3: Timeout Test

# Create hook that times out
echo '{
  "name": "timeout-test",
  "event": "session-start",
  "command": "sleep 100",
  "timeout": 1000
}' > .claude/hooks/timeout-test.json

# Start new session
# Expected: Hook killed after 1 second

Test 4: Real Scenario Test

# Test with actual use case
# Example: Run linter on save
echo '{
  "name": "lint-test",
  "event": "file-save",
  "filter": {"filePattern": "test-file.js"},
  "command": "eslint test-file.js"
}' > .claude/hooks/lint-test.json

# Save test-file.js
# Expected: Linter runs, shows output

Test 5: Disaster Recovery

# Verify you can disable hook quickly
mv .claude/hooks/hook-name.json .claude/hooks/hook-name.json.disabled

# Or delete it
rm .claude/hooks/hook-name.json

Testing checklist:

Step 7: Documentation (5 min)

Document the hook clearly:

## Hooks

### [Hook Name]
**Event:** [Triggering event]
**Command:** `[Exact command]`
**Purpose:** [What it does and why]
**File:** `.claude/hooks/hook-name.json`

**Security notes:**
- [Risk 1 and mitigation]
- [Risk 2 and mitigation]

**To disable:**
\`\`\`bash
mv .claude/hooks/hook-name.json .claude/hooks/hook-name.json.disabled
\`\`\`

**Maintenance:**
- Review quarterly
- Update if dependencies change
- Monitor for performance issues

Step 8: Deployment Decision (CRITICAL)

Before deploying to team (project hooks):

⚠️  TEAM DEPLOYMENT CHECKLIST

This hook will run automatically for everyone on the team:

- [ ] All team members have been notified
- [ ] Hook is documented in README
- [ ] Hook has been tested by multiple people
- [ ] Team agrees hook adds value
- [ ] Hook can be disabled per-user if needed
- [ ] Hook doesn't require special setup
- [ ] Hook respects different dev environments

Commit to git:
```bash
git add .claude/hooks/hook-name.json
git commit -m "Add [hook-name] hook for [purpose]

⚠️  This hook will [describe what it does automatically]
To disable: mv .claude/hooks/hook-name.json{,.disabled}"

For personal hooks only:

# User hooks - not committed to git
echo '.claude/hooks/*.json' >> .gitignore

Common Hook Patterns

Pattern 1: Pre-Commit Testing

{
  "name": "pre-commit-tests",
  "event": "tool-call",
  "filter": "bash.*git commit",
  "command": "npm test",
  "continueOnError": false,
  "timeout": 60000,
  "description": "Run tests before allowing commits"
}

Safety: 🟡 MEDIUM

Blocks commits if tests fail
Could slow down workflow
Tests must be fast (<60s)

Pattern 2: Automatic Formatting

{
  "name": "format-on-save",
  "event": "file-save",
  "filter": {"filePattern": "**/*.{js,ts,jsx,tsx}"},
  "command": "prettier --write {file}",
  "timeout": 5000,
  "description": "Format JavaScript files on save"
}

Safety: 🟢 SAFE

Formatting is idempotent
Fast execution
Fails safely

Pattern 3: Build on Save

{
  "name": "build-on-save",
  "event": "file-save",
  "filter": {"filePattern": "src/**/*.ts"},
  "command": "npm run build",
  "timeout": 30000,
  "continueOnError": true,
  "description": "Rebuild project after TypeScript changes"
}

Safety: 🟡 MEDIUM

Could be slow
High resource usage
Consider debouncing for multiple saves

Pattern 4: Dependency Check

{
  "name": "check-deps",
  "event": "file-save",
  "filter": {"filePattern": "package.json"},
  "command": "npm outdated || true",
  "timeout": 10000,
  "description": "Check for outdated dependencies"
}

Safety: 🟢 SAFE

Read-only operation
Informational only
Doesn't block workflow

Pattern 5: Session Initialization

{
  "name": "session-setup",
  "event": "session-start",
  "command": "git fetch && npm outdated || true",
  "timeout": 15000,
  "description": "Update git refs and check dependencies at session start"
}

Safety: 🟢 SAFE

Runs once per session
Low impact
Informational

Anti-Patterns (NEVER DO THIS)

❌ Anti-Pattern 1: Automatic Git Push

{
  "name": "auto-push",
  "event": "tool-call",
  "filter": "bash.*git commit",
  "command": "git push"
}

Why dangerous:

Pushes before user reviews
Could push sensitive data
Breaks standard git workflow
Can't undo easily

Alternative: Use a Command like /push-with-review

❌ Anti-Pattern 2: Destructive Operations

{
  "name": "clean-build",
  "event": "file-save",
  "command": "rm -rf node_modules && npm install"
}

Why dangerous:

Deletes files automatically
Expensive operation (npm install)
Could run hundreds of times
Breaks workflow with latency

Alternative: Manual Command /clean-install

❌ Anti-Pattern 3: Unvalidated Input

{
  "name": "dynamic-command",
  "event": "file-save",
  "command": "eval $(cat {file})"
}

Why dangerous:

Executes arbitrary code
Could run malicious commands
No validation
Massive security hole

Alternative: Never use eval or dynamic code execution in hooks

❌ Anti-Pattern 4: Credential Exposure

{
  "name": "deploy",
  "event": "tool-call",
  "filter": "bash.*git push",
  "command": "curl -H 'Authorization: Bearer SECRET_TOKEN' https://api.example.com/deploy"
}

Why dangerous:

Hardcoded credentials
Logged in plain text
Shared in git (if project hook)
Security vulnerability

Alternative: Use environment variables or credential manager

Troubleshooting

Issue 1: Hook Not Triggering

Diagnosis:

# Check hook file exists
ls -la .claude/hooks/hook-name.json

# Validate JSON
cat .claude/hooks/hook-name.json | python3 -m json.tool

# Check Claude logs for hook errors

Common causes:

Invalid JSON syntax
Hook file in wrong location
Event name misspelled
Filter too restrictive

Issue 2: Hook Runs But Fails

Diagnosis:

# Test command manually
[exact command from hook]

# Check exit code
echo $?

# Increase timeout if needed

Common causes:

Command not found (PATH issue)
Insufficient permissions
Timeout too short
Missing dependencies

Issue 3: Hook Slows Down Workflow

Symptoms: Long delays after hook trigger

Solutions:

Increase timeout (but check why it's slow)
Make command faster (use cache, limit scope)
Change event (maybe session-start instead of file-save)
Add filter to limit when it runs
Consider if hook is really needed

Issue 4: Hook Creates Infinite Loop

Symptoms: Hook keeps triggering itself

Emergency fix:

# Immediately disable hook
mv .claude/hooks/hook-name.json .claude/hooks/hook-name.json.DISABLED

# Or delete it
rm .claude/hooks/hook-name.json

# Restart Claude

Prevention:

Don't create hooks that trigger the same event they're listening to
Example: Don't save files in a file-save hook
Example: Don't run git commands in a tool-call hook that filters git commands

When NOT to Use Hooks

Use a Command instead when:

✓ User needs to confirm action
✓ Operation is destructive
✓ Parameters vary each time
✓ Need user input
✓ Complex multi-step workflow

Use a Skill instead when:

✓ Need reasoning/analysis
✓ User should review before action
✓ Context-dependent decisions
✓ Variable inputs

Use manual workflow when:

✓ Operations are rare
✓ Risk is high
✓ Complexity is high
✓ User is learning

Success Criteria

A successful Hook creation results in:

✅ User explicitly acknowledged security risks
✅ Hook passes all security checklist items
✅ Hook is tested in isolated environment
✅ Hook behaves predictably and safely
✅ Hook can be disabled quickly
✅ Hook is documented with risks and mitigation
✅ Team is notified (if project hook)
✅ User has rollback plan

Final Reminder

Hooks are powerful but dangerous. When in doubt, use a Command or Skill instead.

Every hook should answer:

Why does this need to be automatic?
What could go wrong?
How do I disable it quickly?
Will this annoy me or my team?

If you can't answer all four confidently, don't create the hook.

name	hook-builder
description	Guide Hook creation with mandatory security review checklist, event selection, and safety validation. Hooks execute arbitrary commands automatically and require careful security consideration. Use when creating Hooks, implementing pre-commit hooks, post-command hooks, automatic execution, event-driven workflows, or when users want to run commands automatically.
allowed-tools	Read, Write, Edit, Bash, Grep, Glob

Hook Builder

⚠️ CRITICAL: Security-First Approach

BEFORE ANY HOOK CREATION, USER MUST ACKNOWLEDGE:

⚠️  SECURITY WARNING ⚠️

Hooks execute commands AUTOMATICALLY without user confirmation.
This creates significant security risks:

1. Accidental infinite loops
2. Destructive operations without confirmation
3. Credential exposure in logs
4. Resource exhaustion
5. Unintended side effects

YOU MUST:
✓ Review the security checklist before creation
✓ Test hooks thoroughly in a safe environment
✓ Understand every command that will execute
✓ Consider failure scenarios and edge cases
✓ Have rollback procedures ready

Do you understand these risks and want to proceed? (yes/no)

If user does not explicitly acknowledge risks, STOP and do not proceed.

Core Responsibilities

When helping create Hooks:

Display security warning (mandatory first step)
Guide through event selection
Review command safety
Generate valid hook configuration
Design comprehensive test protocol
Validate security checklist
Document hook behavior and risks

Hook Creation Workflow

Step 1: Security Acknowledgment (MANDATORY)

Display the security warning above and wait for explicit acknowledgment.

Do not proceed without clear "yes" or affirmative response.

If user hesitates or seems unsure:

Hooks are very powerful but risky. Consider these alternatives:

1. **Command instead of Hook** - Explicit execution with user control
2. **Skill instead of Hook** - Automatic activation, but user confirms actions
3. **Manual workflow** - No automation, maximum safety

Would you prefer one of these safer alternatives?

Step 2: Use Case Analysis (5-10 min)

Understand what the user wants to automate:

To create a safe and effective Hook, I need to understand:

1. **What event should trigger this Hook?**
   - File save?
   - Before commit?
   - After command execution?
   - Session start?

2. **What command(s) should execute?**
   Be specific about every command that will run.

3. **What is the expected outcome?**
   What should change after the hook runs?

4. **How often will this trigger?**
   Every save? Every commit? Once per session?

5. **What could go wrong?**
   Think about failure scenarios.

Red flags that indicate Hook is NOT appropriate:

❌ User wants to modify production systems
❌ User wants to execute network operations automatically
❌ User wants to delete or move files without review
❌ User wants to commit or push to git automatically
❌ User mentions "I'm not sure what command to run"
❌ Use case involves credentials or sensitive data

If red flags present:

This use case is too risky for a Hook. Here's why: [explain risk]

I recommend using a Command instead, which requires explicit execution.
Would you like me to help create a Command for this workflow?

Step 3: Event Selection (5 min)

Available hook events in Claude Code:

Event	When It Triggers	Safety Level	Use Cases
`user-prompt-submit`	Before user message processed	🟢 SAFE	Validate input, check context
`tool-call`	Before any tool executes	🟡 MEDIUM	Log operations, check permissions
`file-write`	Before writing file	🟡 MEDIUM	Format code, validate syntax
`file-save`	After saving file	🟡 MEDIUM	Lint, compile, test
`session-start`	When session begins	🟢 SAFE	Setup, environment check
`session-end`	When session ends	🟢 SAFE	Cleanup, backup
`command-executed`	After slash command	🟡 MEDIUM	Follow-up actions

Event selection guide:

For linting/formatting:

event: file-save
# Runs after file saved, can read the file

For pre-commit validation:

event: tool-call
filter: "bash.*git commit"
# Intercepts git commit commands

For environment setup:

event: session-start
# Runs once when session starts

For logging:

event: tool-call
# Logs all tool executions

Step 4: Security Review Checklist (10-15 min)

MANDATORY: User must answer ALL questions before proceeding.

## Security Checklist

### Command Safety
- [ ] Every command is explicitly listed (no variables from untrusted input)
- [ ] No commands that delete files (`rm`, `del`, etc.)
- [ ] No commands that modify git history (`git reset --hard`, `git push --force`)
- [ ] No commands that install software (`npm install`, `pip install` without lock files)
- [ ] No commands that execute downloaded code
- [ ] No commands that access network without explicit URLs
- [ ] No commands with sudo or elevated privileges

### Failure Handling
- [ ] Hook has timeout set (won't hang forever)
- [ ] Hook failure won't break user workflow
- [ ] Hook can be disabled quickly if needed
- [ ] Hook won't create infinite loops
- [ ] Hook won't trigger itself recursively

### Data Safety
- [ ] Hook doesn't log sensitive data (passwords, keys, tokens)
- [ ] Hook doesn't modify files outside project directory
- [ ] Hook doesn't send data to external services
- [ ] Hook respects .gitignore and sensitive files

### Testing
- [ ] Hook will be tested in isolated environment first
- [ ] User understands how to disable hook if needed
- [ ] User has rollback plan if hook causes issues
- [ ] User knows how to debug hook problems

### Documentation
- [ ] Hook behavior will be documented
- [ ] Team members will be notified (if project hook)
- [ ] Hook risks are explicitly noted
- [ ] Hook can be understood 6 months from now

If ANY checkbox is unchecked or uncertain, STOP and address concerns.

Example security review:

Proposed hook:
  event: file-save
  command: npm test

Security assessment:
✅ Command is explicit
✅ No destructive operations
✅ Read-only operation (tests don't modify code)
⚠️  Could be slow - should add timeout
⚠️  Will run on EVERY save - could be annoying
✅ Fails safely - test failures won't break workflow

Recommendations:
1. Add timeout: 30s
2. Consider limiting to specific file patterns
3. Add option to skip with environment variable

Step 5: Hook Configuration (5-10 min)

Hook file location:

Project hooks:

.claude/hooks/hook-name.json

User hooks:

~/.claude/hooks/hook-name.json

Basic hook structure:

{
  "name": "hook-name",
  "event": "file-save",
  "command": "npm test",
  "timeout": 30000,
  "description": "Run tests after saving files"
}

With event filtering:

{
  "name": "lint-python",
  "event": "file-save",
  "filter": {
    "filePattern": "**/*.py"
  },
  "command": "black {file} && flake8 {file}",
  "timeout": 10000,
  "description": "Format and lint Python files on save"
}

With conditional execution:

{
  "name": "pre-commit-tests",
  "event": "tool-call",
  "filter": "bash.*git commit",
  "command": "npm test",
  "continueOnError": false,
  "timeout": 60000,
  "description": "Run tests before allowing git commit"
}

Configuration fields:

Field	Required	Description	Security Notes
`name`	✅	Hook identifier	Lowercase, hyphens only
`event`	✅	Triggering event	See event table above
`command`	✅	Command to execute	REVIEW CAREFULLY
`timeout`	⚠️ Recommended	Milliseconds before kill	Default 30000, max 300000
`filter`	❌	Pattern to match	Limits when hook runs
`continueOnError`	❌	Allow failure	Default true, false blocks operation
`description`	⚠️ Recommended	What hook does	Helps future debugging

Safe command patterns:

// ✅ Safe: Read-only, explicit files
"command": "eslint src/**/*.js"

// ✅ Safe: Formatting with explicit tool
"command": "prettier --write {file}"

// ✅ Safe: Tests with timeout
"command": "npm test"

// ⚠️ Risky: Modifies files based on output
"command": "black {file}"

// ❌ DANGEROUS: Deletes files
"command": "rm -rf node_modules"

// ❌ DANGEROUS: Downloads and executes
"command": "curl http://example.com/script.sh | bash"

// ❌ DANGEROUS: Accesses credentials
"command": "git push --set-upstream origin $(git branch --show-current)"

Step 6: Testing Protocol (15-30 min)

CRITICAL: Test in isolated environment before production use.

Test 1: Manual Trigger Test

# Create test hook
echo '{
  "name": "test-hook",
  "event": "session-start",
  "command": "echo Hook triggered successfully"
}' > .claude/hooks/test-hook.json

# Start new session
# Expected: See "Hook triggered successfully"

Test 2: Failure Handling

# Create hook that fails
echo '{
  "name": "fail-test",
  "event": "session-start",
  "command": "exit 1"
}' > .claude/hooks/fail-test.json

# Start new session
# Expected: Hook fails, but session continues

Test 3: Timeout Test

# Create hook that times out
echo '{
  "name": "timeout-test",
  "event": "session-start",
  "command": "sleep 100",
  "timeout": 1000
}' > .claude/hooks/timeout-test.json

# Start new session
# Expected: Hook killed after 1 second

Test 4: Real Scenario Test

# Test with actual use case
# Example: Run linter on save
echo '{
  "name": "lint-test",
  "event": "file-save",
  "filter": {"filePattern": "test-file.js"},
  "command": "eslint test-file.js"
}' > .claude/hooks/lint-test.json

# Save test-file.js
# Expected: Linter runs, shows output

Test 5: Disaster Recovery

# Verify you can disable hook quickly
mv .claude/hooks/hook-name.json .claude/hooks/hook-name.json.disabled

# Or delete it
rm .claude/hooks/hook-name.json

Testing checklist:

Step 7: Documentation (5 min)

Document the hook clearly:

## Hooks

### [Hook Name]
**Event:** [Triggering event]
**Command:** `[Exact command]`
**Purpose:** [What it does and why]
**File:** `.claude/hooks/hook-name.json`

**Security notes:**
- [Risk 1 and mitigation]
- [Risk 2 and mitigation]

**To disable:**
\`\`\`bash
mv .claude/hooks/hook-name.json .claude/hooks/hook-name.json.disabled
\`\`\`

**Maintenance:**
- Review quarterly
- Update if dependencies change
- Monitor for performance issues

Step 8: Deployment Decision (CRITICAL)

Before deploying to team (project hooks):

⚠️  TEAM DEPLOYMENT CHECKLIST

This hook will run automatically for everyone on the team:

- [ ] All team members have been notified
- [ ] Hook is documented in README
- [ ] Hook has been tested by multiple people
- [ ] Team agrees hook adds value
- [ ] Hook can be disabled per-user if needed
- [ ] Hook doesn't require special setup
- [ ] Hook respects different dev environments

Commit to git:
```bash
git add .claude/hooks/hook-name.json
git commit -m "Add [hook-name] hook for [purpose]

⚠️  This hook will [describe what it does automatically]
To disable: mv .claude/hooks/hook-name.json{,.disabled}"

For personal hooks only:

# User hooks - not committed to git
echo '.claude/hooks/*.json' >> .gitignore

Common Hook Patterns

Pattern 1: Pre-Commit Testing

{
  "name": "pre-commit-tests",
  "event": "tool-call",
  "filter": "bash.*git commit",
  "command": "npm test",
  "continueOnError": false,
  "timeout": 60000,
  "description": "Run tests before allowing commits"
}

Safety: 🟡 MEDIUM

Blocks commits if tests fail
Could slow down workflow
Tests must be fast (<60s)

Pattern 2: Automatic Formatting

{
  "name": "format-on-save",
  "event": "file-save",
  "filter": {"filePattern": "**/*.{js,ts,jsx,tsx}"},
  "command": "prettier --write {file}",
  "timeout": 5000,
  "description": "Format JavaScript files on save"
}

Safety: 🟢 SAFE

Formatting is idempotent
Fast execution
Fails safely

Pattern 3: Build on Save

{
  "name": "build-on-save",
  "event": "file-save",
  "filter": {"filePattern": "src/**/*.ts"},
  "command": "npm run build",
  "timeout": 30000,
  "continueOnError": true,
  "description": "Rebuild project after TypeScript changes"
}

Safety: 🟡 MEDIUM

Could be slow
High resource usage
Consider debouncing for multiple saves

Pattern 4: Dependency Check

{
  "name": "check-deps",
  "event": "file-save",
  "filter": {"filePattern": "package.json"},
  "command": "npm outdated || true",
  "timeout": 10000,
  "description": "Check for outdated dependencies"
}

Safety: 🟢 SAFE

Read-only operation
Informational only
Doesn't block workflow

Pattern 5: Session Initialization

{
  "name": "session-setup",
  "event": "session-start",
  "command": "git fetch && npm outdated || true",
  "timeout": 15000,
  "description": "Update git refs and check dependencies at session start"
}

Safety: 🟢 SAFE

Runs once per session
Low impact
Informational

Anti-Patterns (NEVER DO THIS)

❌ Anti-Pattern 1: Automatic Git Push

{
  "name": "auto-push",
  "event": "tool-call",
  "filter": "bash.*git commit",
  "command": "git push"
}

Why dangerous:

Pushes before user reviews
Could push sensitive data
Breaks standard git workflow
Can't undo easily

Alternative: Use a Command like /push-with-review

❌ Anti-Pattern 2: Destructive Operations

{
  "name": "clean-build",
  "event": "file-save",
  "command": "rm -rf node_modules && npm install"
}

Why dangerous:

Deletes files automatically
Expensive operation (npm install)
Could run hundreds of times
Breaks workflow with latency

Alternative: Manual Command /clean-install

❌ Anti-Pattern 3: Unvalidated Input

{
  "name": "dynamic-command",
  "event": "file-save",
  "command": "eval $(cat {file})"
}

Why dangerous:

Executes arbitrary code
Could run malicious commands
No validation
Massive security hole

Alternative: Never use eval or dynamic code execution in hooks

❌ Anti-Pattern 4: Credential Exposure

{
  "name": "deploy",
  "event": "tool-call",
  "filter": "bash.*git push",
  "command": "curl -H 'Authorization: Bearer SECRET_TOKEN' https://api.example.com/deploy"
}

Why dangerous:

Hardcoded credentials
Logged in plain text
Shared in git (if project hook)
Security vulnerability

Alternative: Use environment variables or credential manager

Troubleshooting

Issue 1: Hook Not Triggering

Diagnosis:

# Check hook file exists
ls -la .claude/hooks/hook-name.json

# Validate JSON
cat .claude/hooks/hook-name.json | python3 -m json.tool

# Check Claude logs for hook errors

Common causes:

Invalid JSON syntax
Hook file in wrong location
Event name misspelled
Filter too restrictive

Issue 2: Hook Runs But Fails

Diagnosis:

# Test command manually
[exact command from hook]

# Check exit code
echo $?

# Increase timeout if needed

Common causes:

Command not found (PATH issue)
Insufficient permissions
Timeout too short
Missing dependencies

Issue 3: Hook Slows Down Workflow

Symptoms: Long delays after hook trigger

Solutions:

Increase timeout (but check why it's slow)
Make command faster (use cache, limit scope)
Change event (maybe session-start instead of file-save)
Add filter to limit when it runs
Consider if hook is really needed

Issue 4: Hook Creates Infinite Loop

Symptoms: Hook keeps triggering itself

Emergency fix:

# Immediately disable hook
mv .claude/hooks/hook-name.json .claude/hooks/hook-name.json.DISABLED

# Or delete it
rm .claude/hooks/hook-name.json

# Restart Claude

Prevention:

Don't create hooks that trigger the same event they're listening to
Example: Don't save files in a file-save hook
Example: Don't run git commands in a tool-call hook that filters git commands

When NOT to Use Hooks

Use a Command instead when:

✓ User needs to confirm action
✓ Operation is destructive
✓ Parameters vary each time
✓ Need user input
✓ Complex multi-step workflow

Use a Skill instead when:

✓ Need reasoning/analysis
✓ User should review before action
✓ Context-dependent decisions
✓ Variable inputs

Use manual workflow when:

✓ Operations are rare
✓ Risk is high
✓ Complexity is high
✓ User is learning

Success Criteria

A successful Hook creation results in:

✅ User explicitly acknowledged security risks
✅ Hook passes all security checklist items
✅ Hook is tested in isolated environment
✅ Hook behaves predictably and safely
✅ Hook can be disabled quickly
✅ Hook is documented with risks and mitigation
✅ Team is notified (if project hook)
✅ User has rollback plan

Final Reminder

Hooks are powerful but dangerous. When in doubt, use a Command or Skill instead.

Every hook should answer:

Why does this need to be automatic?
What could go wrong?
How do I disable it quickly?
Will this annoy me or my team?

If you can't answer all four confidently, don't create the hook.