Skip to content

Fix Claude hook installation trust boundary#7

Merged
bob-codedaptive merged 1 commit into
stable/1.0.xfrom
codex/fix-project-controlled-python-execution-vulnerability
Jul 6, 2026
Merged

Fix Claude hook installation trust boundary#7
bob-codedaptive merged 1 commit into
stable/1.0.xfrom
codex/fix-project-controlled-python-execution-vulnerability

Conversation

@bob-codedaptive

Copy link
Copy Markdown
Member

Motivation

  • The adapter settings.json wired lifecycle hooks to run python3 "$CLAUDE_PROJECT_DIR/.claude/hooks/moot_hooks.py", which is safe only when the hook scripts are the trusted files shipped with the adapter and the settings are installed per-project; the README previously recommended copying the adapter into a user-level Claude config, which would allow a malicious project to supply and execute arbitrary hook code.
  • The change aims to prevent accidental execution of project-controlled hook scripts when the adapter is installed globally under a user account.

Description

  • Update apps/moot-agent-skills/claude/README.md to require installing hook settings only into a trusted repository root and to explicitly warn against installing .claude/settings.json in a user-level Claude configuration.
  • Document that the hook commands intentionally execute scripts from $CLAUDE_PROJECT_DIR/.claude/hooks and that global installs would execute hook scripts supplied by the active project.
  • Recommend that user-level installs include only non-executable surfaces (for example CLAUDE.md, rules, skills, or commands) and that lifecycle hooks remain disabled until installed per trusted project.
  • Add a note to merge the "hooks" block only after trusting project contents.

Testing

  • Ran python3 -m py_compile apps/moot-agent-skills/claude/.claude/hooks/moot_hooks.py apps/moot-agent-skills/claude/.claude/hooks/moot_update_check.py and it succeeded.
  • Ran git diff --check (whitespace/format checks) and it reported no problems.

Codex Task

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Thank you for your contribution to MOOTx01. Before it can be merged we need you to sign our Contributor License Agreement. You can read it here: CLA.md. To sign, post a comment on this pull request with exactly the following text:


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@bob-codedaptive bob-codedaptive merged commit 0446059 into stable/1.0.x Jul 6, 2026
@bob-codedaptive bob-codedaptive deleted the codex/fix-project-controlled-python-execution-vulnerability branch July 6, 2026 14:45
bob-codedaptive pushed a commit that referenced this pull request Jul 7, 2026
… monitoring parity

#14: release.yml signing steps now require both startsWith(refs/tags/)
AND github.event_name == 'push'. workflow_dispatch on a tag ref no
longer triggers cert import, signing, or publishing.

#13: candidate.yml validates version from Cargo.toml with strict
semver regex before any shell interpolation (supply-chain guard).

#5: candidate notarization steps guard APPLE_API_KEY_P8 presence
before xcrun notarytool — missing secrets skip gracefully.

#6: Swift InvertedIndexStore.remove() and deleteAll() now nil
cachedPair + RAM mirrors immediately on destructive ops. Rust
already nils cached on both paths.

#1: Rust vault import response reports COMPLETE with actual stats
instead of RUNNING (the Rust import is synchronous).

#7: Rust monitoring migration recognizes "unknown" source — no
longer re-enables monitoring for Swift-preserved opt-outs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant