lintai docs

Appearance

Rule Reference

SEC381lintai-ai-securitypreviewclaude_settingswarn

Claude settings: command hook missing `timeout`

Claude settings command hook should set `timeout` in a shared committed config

Provider
lintai-ai-security
Surface
claude_settings
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
claudemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks shared committed Claude settings for exact omission of `timeout` on command hooks.

Deterministic signal basis

ClaudeSettingsSignals exact command-hook timeout presence detection in parsed Claude settings JSON.

Malicious corpus
claude-settings-missing-hook-timeout
Benign corpus
claude-settings-hook-timeout-safe
structured evidence required remediation reviewed
Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC361Claude settings: missing `$schema`Claude settings file is missing a top-level `$schema` referenceclaude_settingspreview
SEC363Claude settings: home-directory hook pathClaude settings hook command uses a home-directory path in a shared committed configclaude_settingspreview
SEC365Claude settings: non-HTTPS allowed HTTP hook URLClaude settings allow non-HTTPS HTTP hook URLs in a shared committed configclaude_settingspreview
SEC366Claude settings: dangerous HTTP hook host literalClaude settings allow dangerous host literals in `allowedHttpHookUrls`claude_settingspreview
SEC368Claude settings: repo-external absolute hook pathClaude settings hook command uses a repo-external absolute path in a shared committed configclaude_settingspreview
SEC382Claude settings: `matcher` on unsupported hook eventClaude settings should not use `matcher` on unsupported hook eventsclaude_settingspreview

SEC381 / CLAUDE-HOOK-TIMEOUT

SEC381 flags shared Claude settings when a type: "command" hook omits an explicit timeout.

Why It Matters

Shared command hooks are part of the team-wide agent execution path. Without an explicit timeout, a hook can hang unpredictably, slow down every run, or make failures harder to review and reproduce across machines.

Trigger Shape

The rule triggers only when all of these are true:

  • the file is a detected Claude settings surface
  • the path is not fixture-like
  • a hook entry has type: "command"
  • the same hook entry has command
  • the same hook entry does not declare timeout

Clean Cases

These stay clean:

  • command hooks with an explicit timeout
  • non-command hooks
  • fixture-like examples under test or fixture paths

Example Trigger

json
{
  "hooks": {
    "Stop": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "echo done"
          }
        ]
      }
    ]
  }
}

Safer Example

json
{
  "hooks": {
    "Stop": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "echo done",
            "timeout": 5
          }
        ]
      }
    ]
  }
}

How To Fix

Add an explicit timeout to each shared command hook. Keep the timeout short and reviewable so the hook stays bounded across local machines and CI-like automation.