Stats
Actions
Tags
From credential-guard
Blocks destructive shell commands (recursive rm, force-push git, credential leaks) and sensitive file writes before execution. Runs bash scripts to guard against unsafe operations.
1 event · 5 hooks
Safety signals detected in this hook configuration
Where this hook configuration is defined
Defined inline in plugin.json manifest
Event handlers and matchers — expand Raw Configuration for the full JSON
WriteFILE=$(echo "$CC_TOOL_INPUT" | jq -r '.file_path' 2>/dev/null); if echo "$FILE" | grep -qE '\.env$|\.env\.|credentials|secret'; then echo "BLOCKED: Writing to sensitive file: $FILE" >&2; exit 2; fiEditFILE=$(echo "$CC_TOOL_INPUT" | jq -r '.file_path' 2>/dev/null); if echo "$FILE" | grep -qE '\.env$|\.env\.|credentials|secret'; then echo "BLOCKED: Editing sensitive file: $FILE" >&2; exit 2; fiBashCMD=$(echo "$CC_TOOL_INPUT" | jq -r '.command' 2>/dev/null); if echo "$CMD" | grep -qE '(sk|pk|api|key|token|secret|password)[-_]?[a-zA-Z0-9]{20,}'; then echo 'WARNING: Possible API key or token detected in command. Verify no secrets are exposed.' >&2; fiWriteFILE=$(echo "$CC_TOOL_INPUT" | jq -r '.file_path' 2>/dev/null); if echo "$FILE" | grep -qE 'serviceaccount.*\.json|key\.json|credentials\.json'; then echo "BLOCKED: Writing to service account file: $FILE" >&2; exit 2; fiBashCMD=$(echo "$CC_TOOL_INPUT" | jq -r '.command' 2>/dev/null); CONTENT=$(echo "$CC_TOOL_INPUT" | jq -r '.command' 2>/dev/null); if echo "$CONTENT" | grep -qE 'ANTHROPIC_API_KEY|OPENAI_API_KEY|AWS_SECRET|GITHUB_TOKEN|DATABASE_URL' | head -1; then echo 'WARNING: Environment variable with potential secret detected in command.' >&2; finpx claudepluginhub yurukusa/cc-safe-setup --plugin credential-guard