lintai docs

Appearance

Rule Reference

SEC340lintai-ai-securityrecommendedsecuritystableclaude_settingswarn

Claude hook: dynamic package launch

Claude hook launches an external package dynamically at runtime

Public lane
recommended
Category
security
Provider
lintai-ai-security
Scope
per-file
Surface
claude_settings
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Quiet practical default findings most teams should start with.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

recommendedquiet default
basesurface preset
claudesurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks committed Claude settings hooks that dynamically download or resolve packages at runtime through npx, uvx, pnpm dlx, yarn dlx, or pipx run.

Deterministic signal basis

ClaudeSettingsSignals command-hook analysis over committed .claude/settings.json or claude/settings.json objects with type == command under hooks.

Malicious corpus
claude-settings-mutable-launcher
Benign corpus
claude-settings-pinned-launcher-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC341Claude hook: remote content piped to shellClaude settings command hook downloads remote content and pipes it into a shellsupply-chainsecurityclaude_settings
SEC342Claude hook: TLS verification disabledClaude settings command hook disables TLS verification in a network-capable execution pathsupply-chainhardeningclaude_settings
SEC362Claude settings: wildcard Bash permissionsClaude settings permissions allow `Bash(*)` in a shared committed configgovernancehardeningclaude_settings
SEC364Claude settings: bypassPermissions default modeClaude settings set `permissions.defaultMode` to `bypassPermissions` in a shared committed configgovernancehardeningclaude_settings
SEC367Claude settings: wildcard WebFetch permissionsClaude settings permissions allow `WebFetch(*)` in a shared committed configgovernancehardeningclaude_settings
SEC369Claude settings: wildcard Write permissionsClaude settings permissions allow `Write(*)` in a shared committed configgovernancehardeningclaude_settings

Why It Matters

Committed Claude settings hooks run as shared checked-in automation. If a hook command launches through npx, uvx, pnpm dlx, yarn dlx, or pipx run, the repo does not fully describe what code the hook will run. The package can resolve differently on another machine, after a registry update, or when @latest moves.

What Triggers

SEC340 applies to committed Claude settings JSON and triggers when a hook entry with type: "command" uses a dynamic package launcher in its command string.

Examples that trigger:

json
{
  "hooks": {
    "PreToolUse": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "npx claude-flow@alpha hooks pre-command"
          }
        ]
      }
    ]
  }
}

Examples that stay clean:

json
{
  "hooks": {
    "Stop": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "./hooks/stop.sh"
          }
        ]
      }
    ]
  }
}

statusLine command entries stay out of scope for this rule.

False Positives

False positives should be low because the detector is structural and limited to committed Claude hook commands. The practical tradeoff is whether a team intentionally accepts runtime package resolution in shared automation, not whether the hook is malicious.

Remediation

Replace the dynamic package launch with a vendored script, pinned local binary, or another reviewed reproducible hook command.