trailofbits-hooks
Security hooks for Claude Code that block destructive commands, prevent force pushes, protect credentials, and provide audit logging during AI-assisted development.
71
/ 100 · Grade D
D = 60–69
“I need to secure my AI-assisted development workflow by preventing destructive commands, blocking unsafe git operations, protecting credentials, and maintaining audit trails.”
trailofbits-hooks earned Verified status with a trust score of 71/100 (Grade D). Adversarial testing produced 9 findings (8 high, 1 medium). Security scan flagged 0 findings. Tier is Verified rather than Certified due to unmitigated findings above severity thresholds.
Trust Score Breakdown
Eight weighted signals composing the aggregate trust score
Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.
Findings
Security scan results, adversarial testing, and pipeline review
Security Scan — Cisco Skill Scanner
Adversarial Testing — 6 categories, 9 findings
The skill's PreToolUse hooks execute shell commands that directly interpolate user-provided command content without proper sanitization. The hooks use `jq -r '.tool_input.command'` to extract user input and then pass it to shell operations like `echo "$CMD"` and `grep` patterns. An attacker could inject shell metacharacters, command separators, or escape sequences in the tool_input.command field to execute arbitrary commands or bypass the security checks.
The skill's hook system is designed to block dangerous operations like 'rm -rf' and 'git push --force', but the implementation has gaps that could allow bypasses. The hooks use regex patterns that may not catch all variations of dangerous commands, and the configuration explicitly mentions blocking force operations while potentially allowing them through pattern evasion.
The skill implements extensive protections against system boundary violations through permission denies for sensitive directories (~/.ssh, ~/.aws, ~/.config, etc.) and shell profile modifications. However, the protection is implemented as a blacklist which may not cover all possible system configuration paths or new credential storage locations.
The log-gam.sh hook logs Google Apps Manager (GAM) write operations to a JSONL file, including the full command with all arguments. GAM commands often contain sensitive administrative data like user emails, organizational unit paths, group memberships, and other directory information that could be considered sensitive in enterprise contexts.
The skill contains multiple conditional statements that reference system state the user wouldn't anticipate, including environment variables (CLAUDE_PROJECT_DIR), file system state (pnpm-lock.yaml existence), and command parsing logic that makes decisions based on system context rather than explicit user input.
The skill contains persistent behavioral directives that would affect all future tasks through environment variables and hook configurations. The 'alwaysThinkingEnabled': true setting and environment variables like 'DISABLE_TELEMETRY': '1' establish persistent behavioral changes that extend beyond any single task execution.
The skill creates persistent state through logging mechanisms and configuration files that outlast individual task execution. The GAM logging hook creates persistent audit trails in '.changelog-raw.jsonl' files, and the statusline script reads and processes persistent workspace state.
While the skill appears to be focused on development environment safety (Trail of Bits Hooks), it includes broad system-level permissions management, environment variable manipulation, and comprehensive file system access controls that extend beyond simple hook functionality. The extensive deny permissions list and environment variable settings suggest authority claims that may exceed the stated purpose.
The skill configuration includes extensive bash command execution through hooks and status line scripts, but declares no dependencies in metadata. While the hooks appear to be security-focused (blocking dangerous rm commands, enforcing package manager conventions), the capability to execute arbitrary shell commands through the hook system could potentially be used for undeclared package installations or other system modifications. The statusline.sh script also executes git commands and other system utilities.
Methodology v1.0 · 6 categories · ~55 attack patterns
Interface
Skill triggers and instruction summary
Activation
Binds to lifecycle events: PreToolUse
Hook configuration with 2 handler(s)
Scope & Permissions
What this capability can and cannot access — derived from pipeline analysis
no
yes
no
yes
yes
no
Badge & Integration
Embed certification status in your README, docs, or CI pipeline
Certification Notes
Provenance observations from the pipeline
Publisher "trailofbits" is not verified — first certification from this publisher
No license file found in repository
No SECURITY.md or SECURITY.txt file found — no published vulnerability reporting process
Single contributor — no peer review evidence in commit history
Package description appears to be boilerplate or template text
Signed Artifact
Certification provenance and verification metadata
Pipeline Artifacts
Raw data files from this certification run — downloadable for independent verification
contract.json
Full unsigned contract
stage1-ingest.json
Ingest stage output
stage2a-sbom.json
SBOM generation results
stage2a-vulns.json
Vulnerability scan results
stage2b-security.json
Security scan results
stage3a-functional.json
Functional test results
stage3b-adversarial.json
Adversarial test results
stage3c-fingerprint.json
Behavioral fingerprint
stage4-certify.json
Certification decision + trust score
stage3a-measurements.json
Raw functional test measurements
stage3b-measurements.json
Raw adversarial test measurements
run-log.json
Pipeline execution log
Not all files may be present for every certification.