lintai docs

Appearance

Rule Reference

SEC340lintai-ai-securitystableclaude_settingswarn

Claude hook: mutable package launcher

Claude settings command hook uses a mutable package launcher

Provider
lintai-ai-security
Surface
claude_settings
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

recommendedmembership
basemembership
claudemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks committed Claude settings command hooks for mutable package launcher forms such as npx, uvx, pnpm dlx, yarn dlx, and pipx run.

Deterministic signal basis

ClaudeSettingsSignals command-hook analysis over committed .claude/settings.json or claude/settings.json objects with type == command under hooks.

Malicious corpus
claude-settings-mutable-launcher
Benign corpus
claude-settings-pinned-launcher-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC341Claude hook: remote content piped to shellClaude settings command hook downloads remote content and pipes it into a shellclaude_settingsstable
SEC342Claude hook: TLS verification disabledClaude settings command hook disables TLS verification in a network-capable execution pathclaude_settingsstable
SEC641Claude settings: command hook root deletionClaude settings command hook attempts destructive root deletionclaude_settingsstable
SEC642Claude settings: command hook password file accessClaude settings command hook accesses a sensitive system password fileclaude_settingsstable
SEC643Claude settings: command hook shell profile writeClaude settings command hook writes to a shell profile startup fileclaude_settingsstable
SEC644Claude settings: command hook authorized_keys writeClaude settings command hook writes to SSH authorized_keysclaude_settingsstable

Why It Matters

Committed Claude settings hooks run as shared checked-in automation. If a hook command shells out through npx, uvx, pnpm dlx, yarn dlx, or pipx run, the hook depends on mutable package resolution instead of a reproducible reviewed command path.

What Triggers

SEC340 applies to committed Claude settings JSON and triggers when a hook entry with type: "command" uses a mutable package launcher in its command string.

Examples that trigger:

json
{
  "hooks": {
    "PreToolUse": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "npx claude-flow@alpha hooks pre-command"
          }
        ]
      }
    ]
  }
}

Examples that stay clean:

json
{
  "hooks": {
    "Stop": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "./hooks/stop.sh"
          }
        ]
      }
    ]
  }
}

statusLine command entries stay out of scope for this rule.

False Positives

False positives should be low because the detector is structural and limited to committed Claude hook commands. The practical tradeoff is whether a team intentionally accepts mutable launcher convenience in shared automation, not whether the hook is “malicious”.

Remediation

Replace the mutable package launcher with a vendored script, pinned local binary, or another reviewed reproducible hook command.