Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From security-guidance
PreToolUse security-anti-pattern hook for Claude Code. Catches 12 common security risks (command injection, XSS, SQL injection, unsafe deserialization, GitHub Actions workflow injection, eval/new Function code injection) BEFORE the Edit/Write/MultiEdit operation completes. Session-state caching prevents duplicate warnings on the same file+rule combo. Stdlib only — no dependencies. Use when you want a safety net during Claude Code sessions that touch security-sensitive code (auth, payments, user input handling, IaC). Disable with ENABLE_SECURITY_REMINDER=0 if you need to perform a verified-safe operation that would otherwise trip a pattern. Triggers — "add security hook", "block unsafe code", "detect command injection before write", "prevent SQL injection patterns", "security warning hook".
npx claudepluginhub marco3939/claude_skill --plugin security-guidanceHow this skill is triggered — by the user, by Claude, or both
Slash command
/security-guidance:security-guidanceThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**A PreToolUse hook that blocks 12 common security anti-patterns before Claude Code writes them.**
Guides technical evaluation of code review feedback: read fully, restate for understanding, verify against codebase, respond with reasoning or pushback before implementing.
Share bugs, ideas, or general feedback.
A PreToolUse hook that blocks 12 common security anti-patterns before Claude Code writes them.
This skill is a hook, not a slash command. Once installed, it runs automatically before every Edit, Write, or MultiEdit operation and warns + blocks if it detects a known dangerous pattern.
The hook scans both:
${{ }} patterns| Pattern | Category | Risk |
|---|---|---|
| GitHub Actions workflow expressions | Path-based | Workflow command injection via untrusted inputs |
child_process.exec, exec(, execSync( | Substring | Node.js command injection |
new Function | Substring | JS code injection |
eval( | Substring | JS code injection |
dangerouslySetInnerHTML | Substring | React XSS |
document.write | Substring | DOM XSS |
.innerHTML = | Substring | DOM XSS |
pickle | Substring | Python deserialization RCE |
os.system, from os import system | Substring | Python command injection |
shell=True (subprocess) | Substring | Python command injection |
f-string SQL or .format SQL | Substring | SQL injection |
yaml.load(, yaml.unsafe_load | Substring | YAML deserialization RCE |
Edit, Write, or MultiEditsecurity_reminder_hook.py with the tool input as JSON on stdin~/.claude/security_warnings_state_<session>.jsonThis plugin ships as a Claude Code plugin with hooks.json wiring:
# In Claude Code:
/plugin marketplace add alirezarezvani/claude-skills
/plugin install security-guidance@claude-code-skills
Once installed, no further configuration needed — the hook runs automatically.
Disable per-session via environment variable:
ENABLE_SECURITY_REMINDER=0 claude
# Hook is bypassed for this session
Use sparingly — the hook is most useful exactly when you're tempted to disable it (because you're under deadline pressure to ship something you know is sketchy).
If a specific file legitimately needs eval() or pickle (e.g., a sandboxed REPL, a deliberately unsafe parser for a fuzzer), document it in the file with a comment:
# SAFETY: pickle is the required serialization format for this internal tool.
# This file does NOT accept untrusted input. See SECURITY.md for boundary analysis.
import pickle
The hook will still warn on first edit per session. After acknowledging, subsequent edits in the same session are allowed (session-state caching).
Trade-off: AST-based detection would be more precise (no false positives on string literals containing "eval("). Substring-based is:
For 90%+ of cases, substring detection is sufficient. If you need stricter detection, layer in a proper SAST tool (semgrep, CodeQL) as a CI step.
The hook caches "warning shown" state in ~/.claude/security_warnings_state_<session_id>.json. These files:
<file_path>-<rule_name> keysYou can safely delete ~/.claude/security_warnings_state_*.json files at any time — the hook regenerates them on next run.
The hook writes to ~/.claude/security-warnings-log.txt for debugging hook misfires:
tail -f ~/.claude/security-warnings-log.txt
# Shows JSON decode errors, state-file save failures, etc.
(Upstream version wrote to /tmp/security-warnings-log.txt — we moved it to ~/.claude/ for persistence across reboots.)
This plugin is ported from David Dworken's MIT-licensed implementation in alirezarezvani/aeo-box.
Verbatim: the original 9 patterns (GitHub Actions, child_process.exec, new Function, eval, dangerouslySetInnerHTML, document.write, innerHTML, pickle, os.system) are preserved with their exact warning text.
Modifications:
subprocess shell=True, SQL injection via f-string or .format, yaml.unsafe_load/tmp/security-warnings-log.txt → ~/.claude/security-warnings-log.txtattribution block in plugin.jsonDefeats the purpose. If ENABLE_SECURITY_REMINDER=0 becomes your default, you've trained yourself to ignore the safety net. Use it only for specific verified-safe operations.
Anyone can add a pattern. Removing one requires a security review — patterns exist because they map to real CVE classes.
The cache prevents nag-spam but is per-session. Don't rely on "I dismissed this once" as long-term policy — use the per-file documentation pattern instead (comment justifying the use).
engineering-team/skills/red-team — adversarial pen-testingengineering-team/skills/threat-detection — threat modeling + detection designengineering-team/skills/ai-security — AI-specific security (prompt injection, etc.)engineering/ship-gate — pre-production audit (8-category, ~89 checks)engineering/skill-security-auditor — security scan for skill packagesVersion: 2.7.3
Source: Ported from alirezarezvani/aeo-box .claude/plugins/security-guidance/ (originally by David Dworken at Anthropic, MIT)
License: MIT