- Claude Hook Writer
- Status
-
- Production Ready
- Version
-
- 2.0.0 (Optimized with progressive disclosure)
- Last Updated
-
- 2025-12-17
- Overview
- Expert guidance for writing secure, reliable, and performant Claude Code hooks. This skill validates design decisions, enforces best practices, and prevents common pitfalls.
- When to Use This Skill
- Designing a new Claude Code hook
- Reviewing existing hook code
- Debugging hook failures
- Optimizing slow hooks
- Securing hooks that handle sensitive data
- Publishing hooks as PRPM packages
- Core Principles
- 1. Security is Non-Negotiable
- Hooks execute automatically with user permissions and can read, modify, or delete any file the user can access.
- ALWAYS validate and sanitize all input.
- Hooks receive JSON via stdin—never trust it blindly.
- For complete security patterns
-
- Load
- references/security-requirements.md
- when implementing validation or securing hooks.
- 2. Reliability Over Features
- A hook that works 99% of the time is a broken hook. Edge cases (Unicode filenames, spaces in paths, missing tools) will happen.
- Test with edge cases before deploying.
- For reliability patterns
-
- Load
- references/reliability-performance.md
- when handling errors or edge cases.
- 3. Performance Matters
- Hooks block operations. A 5-second hook means Claude waits 5 seconds before continuing.
- Keep hooks fast. Run heavy operations in background.
- For performance optimization
- Load references/reliability-performance.md when optimizing hook speed. 4. Fail Gracefully Missing dependencies, malformed input, and disk errors will occur. Handle errors explicitly. Log failures. Return meaningful exit codes. Hook Design Checklist Before writing code, answer these questions: What Event Does This Hook Target? PreToolUse - Before tool execution (modify input, validate, block) PostToolUse - After tool completes (format, log, cleanup) UserPromptSubmit - Before user input processes (validate, enhance) SessionStart - When Claude Code starts (setup, env check) SessionEnd - When Claude Code exits (cleanup, persist state) Notification - During alerts (desktop notifications, logging) Stop / SubagentStop - When responses finish (cleanup, summary) PreCompact - Before context compaction (save important context) Common mistake: Using PostToolUse for validation (too late—tool already ran). Use PreToolUse to block operations. Which Tools Should Trigger This Hook? Be specific. matcher: "" runs on every tool call. Good matchers: "Write" - Only file writes "Edit|Write" - File modifications "Bash" - Shell commands "mcp__github__" - All GitHub MCP tools Bad matchers: "*" - Everything (use only for logging/metrics) What Input Does This Hook Need? Different tools provide different input. Check what's available:
PreToolUse / PostToolUse
- {
- "input"
- :
- {
- "file_path"
- :
- "/path/to/file.ts"
- , // Read, Write, Edit
- "command"
- :
- "npm test"
- , // Bash
- "old_string"
- :
- "..."
- , // Edit
- "new_string"
- :
- "..."
- // Edit
- }
- }
- Validate fields exist before using them:
- FILE
- =
- $(
- echo
- "
- $INPUT
- "
- |
- jq
- -r
- '.input.file_path // empty'
- )
- if
- [
- [
- -z
- "
- $FILE
- "
- ]
- ]
- ;
- then
- echo
- "No file path provided"
- >
- &2
- exit
- 1
- fi
- Should This Be a Command Hook or Prompt Hook?
- Command hooks
- (
- type: "command"
- ):
- Fast (milliseconds)
- Deterministic
- Good for: formatting, logging, file checks
- Prompt hooks
- (
- type: "prompt"
- ):
- Slow (2-10 seconds)
- Context-aware (uses LLM)
- Good for: complex validation, security analysis, intent detection
- Rule of thumb:
- Use command hooks unless you need LLM reasoning.
- What Exit Code Communicates Success/Failure?
- exit 0
- - Success (continue operation)
- exit 2
- - Block operation (show error to Claude)
- exit 1
- or other - Non-blocking error (log but continue)
- For PreToolUse hooks:
- Exit 2 blocks the tool from running
- Exit 0 allows it (optionally with modified input)
- For PostToolUse hooks:
- Exit codes don't block (tool already ran)
- Use exit 0 for success, 1 for logging errors
- Top 5 Pitfalls (Must Know)
- Pitfall #1: Not Quoting Variables
- Error
-
- Hooks break on filenames with spaces or special characters
- Why
- Unquoted variables split on whitespace Example :
❌ WRONG - breaks on "my file.txt"
cat $FILE prettier --write $FILE rm $FILE
✅ RIGHT - handles spaces and special chars
- cat
- "
- $FILE
- "
- prettier
- --write
- "
- $FILE
- "
- rm
- "
- $FILE
- "
- Why this matters
-
- Files with spaces (
- "my file.txt"
- ), Unicode (
- "文件.txt"
- ), or special chars (
- "file (1).txt"
- ) are common.
- For quoting best practices
-
- Load
- references/security-requirements.md
- for comprehensive input handling patterns.
- Pitfall #2: Trusting Input Without Validation
- Error
-
- Hook executes on malicious or malformed input
- Why
- Not validating JSON fields before using them Example :
❌ DANGEROUS - no validation
FILE
$( jq -r '.input.file_path' ) rm " $FILE "
Could delete ../../../etc/passwd
✅ SAFE - validate first
FILE
- $(
- jq
- -r
- '.input.file_path // empty'
- )
- [
- [
- -n
- "
- $FILE
- "
- ]
- ]
- ||
- exit
- 1
- [
- [
- "
- $FILE
- "
- ==
- "
- $CLAUDE_PROJECT_DIR
- "
- *
- ]
- ]
- ||
- exit
- 2
- [
- [
- "
- $FILE
- "
- !=
- *
- ".."
- *
- ]
- ]
- ||
- exit
- 2
- rm
- "
- $FILE
- "
- Why this matters
-
- Prevents path traversal attacks, protects files outside project, prevents malformed input crashes.
- For complete security patterns
-
- Load
- references/security-requirements.md
- .
- Pitfall #3: Blocking Operations Too Long
- Error
-
- Hook takes 30+ seconds, blocking Claude
- Why
- Running expensive operations (tests, builds) synchronously in hook Example :
❌ BLOCKS Claude for 30 seconds
npm test npm run build
✅ RUN IN BACKGROUND - returns immediately
- (
- npm
- test
- >
- /tmp/test-results.log
- 2
- >
- &1
- &
- )
- (
- npm run build
- >
- /tmp/build.log
- 2
- >
- &1
- &
- )
- exit
- 0
- Why this matters
-
- Slow hooks create bad user experience. Target < 100ms for PreToolUse, < 500ms for PostToolUse.
- For performance optimization
-
- Load
- references/reliability-performance.md
- .
- Pitfall #4: Wrong Exit Code for Blocking
- Error
-
- PreToolUse hook doesn't actually block the operation
- Why
- Using exit 1 instead of exit 2 Example :
❌ WRONG - logs error but doesn't block
if [ [ $FILE == ".env" ] ] ; then echo "Don't edit .env"
&2 exit 1
Tool still runs!
fi
✅ RIGHT - actually blocks
if [ [ $FILE == ".env" ] ] ; then echo "Blocked: .env is protected"
&2 exit 2
Tool is blocked
- fi
- Why this matters
-
- Exit 1 only logs errors. Exit 2 is required to block in PreToolUse hooks.
- For exit code patterns
-
- Load
- references/hook-templates.md
- for complete hook response patterns.
- Pitfall #5: Assuming Tools Exist
- Error
-
- Hook crashes when dependency is missing
- Why
- Not checking if tool is installed before using Example :
❌ BREAKS if prettier not installed
prettier --write " $FILE "
✅ SAFE - check first
if command -v prettier &> /dev/null ; then prettier --write " $FILE " else echo "prettier not installed, skipping"
&2 exit 0
Success exit, just skip
- fi
- Why this matters
-
- Users may not have all tools installed. Hooks should degrade gracefully.
- For reliability patterns
-
- Load
- references/reliability-performance.md
- .
- Critical Rules
- Always Do
- ✅ Validate all JSON input before using (
- jq -r '... // empty'
- )
- ✅ Quote all variables containing paths or user input
- ✅ Use absolute paths for scripts (
- ${CLAUDE_PLUGIN_ROOT}/...
- )
- ✅ Block sensitive files (
- .env
- ,
- *.key
- , credentials)
- ✅ Check if required tools exist (
- command -v toolname
- )
- ✅ Set reasonable timeouts (< 5s for PreToolUse)
- ✅ Run heavy operations in background
- ✅ Test with edge cases (spaces, Unicode, special chars)
- ✅ Use exit 2 to block in PreToolUse hooks
- ✅ Log errors to stderr or file, not stdout
- Never Do
- ❌ Trust JSON input without validation
- ❌ Use unquoted variables ($FILE instead of "$FILE")
- ❌ Use relative paths for scripts
- ❌ Skip path sanitization (check for
- ..
- , validate in project)
- ❌ Assume tools are installed
- ❌ Block for > 1 second in PreToolUse hooks
- ❌ Use exit 1 when you mean to block (use exit 2)
- ❌ Log sensitive data to stdout or files
- ❌ Use
- matcher: "*"
- unless truly necessary
- When to Load References
- Load reference files when working on specific hook aspects:
- Security Requirements (
- references/security-requirements.md
- )
- Load when:
- Implementing input validation and sanitization
- Securing hooks that handle sensitive data
- Blocking sensitive files (
- .env
- , keys, credentials)
- Preventing path traversal attacks
- Understanding security vulnerabilities and best practices
- Testing security with malicious input
- Reliability & Performance (
- references/reliability-performance.md
- )
- Load when:
- Handling missing dependencies or tools
- Setting timeouts and handling slow operations
- Optimizing hook performance (< 100ms target)
- Running heavy operations in background
- Caching expensive results
- Testing with edge cases (Unicode, spaces, deep paths)
- Deduplicating expensive operations
- Code Templates (
- references/code-templates.md
- )
- Load when:
- Starting a new hook and need working examples
- Implementing format-on-save functionality
- Blocking sensitive files from modification
- Logging commands or operations
- Using prompt-based security analysis
- Customizing templates for specific use cases
- Testing & Debugging (
- references/testing-debugging.md
- )
- Load when:
- Writing test cases for hooks
- Debugging hook failures or unexpected behavior
- Testing with edge cases (malformed JSON, missing fields)
- Checking hook execution in transcript (Ctrl-R)
- Profiling hook performance
- Creating automated test suites
- Publishing Guide (
- references/publishing-guide.md
- )
- Load when:
- Publishing hooks to PRPM registry
- Creating package manifest (prpm.json)
- Configuring hook.json with advanced options
- Using
- continue
- ,
- stopReason
- ,
- suppressOutput
- ,
- systemMessage
- Writing README.md for users
- Understanding versioning and publishing commands
- Quick Reference (
- references/quick-reference.md
- )
- Load when:
- Need quick syntax lookup (exit codes, jq patterns)
- Looking up environment variables
- Finding common bash patterns (file validation, background execution)
- Checking hook events and matchers
- Need performance tips summary
- Looking up JSON input structure
- Final Checklist
- Before publishing a hook:
- Validates all stdin input with jq
- Quotes all variables
- Uses absolute paths for scripts
- Blocks sensitive files (
- .env
- ,
- *.key
- , etc.)
- Handles missing tools gracefully
- Sets reasonable timeout (< 5s for PreToolUse)
- Logs errors to stderr or file, not stdout
- Tests with edge cases (spaces, Unicode, malformed JSON)
- Tests in real Claude Code session
- Documents dependencies in README
- Uses semantic versioning
- Clear description and tags
- Using Bundled Resources
- This skill includes 6 reference files for on-demand loading:
- Security & Reliability
- (2 files):
- security-requirements.md
- - Input validation, path sanitization, blocking sensitive files
- reliability-performance.md
- - Error handling, timeouts, performance optimization
- Implementation
- (2 files):
- code-templates.md
- - Working hook examples (format-on-save, block-sensitive, logger, etc.)
- quick-reference.md
- - Fast syntax lookup (exit codes, jq patterns, environment vars)
- Testing & Publishing
- (2 files):
- testing-debugging.md
- - Test patterns, edge cases, debugging techniques
- publishing-guide.md
- - PRPM packaging, advanced configuration, README template
- Load references on-demand when specific knowledge is needed. See "When to Load References" section for triggers.
- Resources
- Claude Code Hooks Docs
- PRPM Hook Packages
- Last verified
-
- 2025-12-17 |
- Version
- 2.0.0