Install command
Provided
Scans for potential sensitive data exposure and alerts immediately.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Provided
Config snippet
Provided
Copy snippet
Provided
Prerequisites
None
Platforms
1 listed
Difficulty
0/100
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Safety & privacy surface
3 safety and 3 privacy notes across 4 risk areas. Review closely: credentials & tokens, network access.
#!/bin/bash
# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
# Only scan for Write and Edit operations
if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" ]]; then
exit 0
fi
echo "🔒 Sensitive Data Alert Scanner - Analyzing file for security risks..."
echo "📄 File: $FILE_PATH"
# Check if file exists and is readable
if [ ! -f "$FILE_PATH" ]; then
echo "⚠️ File not found: $FILE_PATH"
exit 0
fi
# Skip binary files
if file "$FILE_PATH" | grep -q binary; then
echo "ℹ️ Skipping binary file"
exit 0
fi
SECURITY_ISSUES=0
WARNINGS=0
echo "🔍 Scanning for sensitive data patterns..."
# 1. API Keys and Secrets
echo "🔑 Checking for API keys and secrets..."
API_PATTERNS=(
"api[_-]?key\s*[:=]\s*[\"'][^\"']{8,}[\"']"
"secret[_-]?key\s*[:=]\s*[\"'][^\"']{8,}[\"']"
"access[_-]?token\s*[:=]\s*[\"'][^\"']{10,}[\"']"
"private[_-]?key\s*[:=]\s*[\"'][^\"']{20,}[\"']"
"client[_-]?secret\s*[:=]\s*[\"'][^\"']{8,}[\"']"
)
for pattern in "${API_PATTERNS[@]}"; do
if grep -iE "$pattern" "$FILE_PATH" 2>/dev/null | grep -v -iE "(\*\*\*|example|placeholder|your[_-]|demo|test|fake|dummy)"; then
echo "🚨 SECURITY ALERT: Potential API key/secret detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
done
# 2. Password patterns
echo "🔐 Checking for password exposure..."
PASSWORD_PATTERNS=(
"password\s*[:=]\s*[\"'][^\"']{6,}[\"']"
"passwd\s*[:=]\s*[\"'][^\"']{6,}[\"']"
"pwd\s*[:=]\s*[\"'][^\"']{6,}[\"']"
)
for pattern in "${PASSWORD_PATTERNS[@]}"; do
if grep -iE "$pattern" "$FILE_PATH" 2>/dev/null | grep -v -iE "(\*\*\*|example|placeholder|your[_-]|demo|test|123456|password)"; then
echo "🚨 SECURITY ALERT: Potential password detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
done
# 3. Database connection strings
echo "🗄️ Checking for database credentials..."
if grep -iE "(mysql://|postgresql://|mongodb://|redis://).*:.*@" "$FILE_PATH" 2>/dev/null; then
echo "🚨 SECURITY ALERT: Database connection string with credentials detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
# 4. JWT tokens
echo "🎫 Checking for JWT tokens..."
if grep -E "eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+" "$FILE_PATH" 2>/dev/null; then
echo "🚨 SECURITY ALERT: JWT token detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
# 5. SSH private keys
echo "🔑 Checking for SSH private keys..."
if grep -q "BEGIN.*PRIVATE KEY" "$FILE_PATH" 2>/dev/null; then
echo "🚨 SECURITY ALERT: SSH private key detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
# 6. Email addresses (warning, not critical)
echo "📧 Checking for email addresses..."
if grep -E "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}" "$FILE_PATH" 2>/dev/null | head -3; then
echo "⚠️ Email addresses detected - ensure this is intentional"
WARNINGS=$((WARNINGS + 1))
fi
# 7. Credit card patterns (basic check)
echo "💳 Checking for credit card numbers..."
if grep -E "[0-9]{4}[\s-]?[0-9]{4}[\s-]?[0-9]{4}[\s-]?[0-9]{4}" "$FILE_PATH" 2>/dev/null; then
echo "🚨 SECURITY ALERT: Potential credit card number detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
# 8. Social Security Numbers (US format)
echo "🆔 Checking for SSN patterns..."
if grep -E "[0-9]{3}-[0-9]{2}-[0-9]{4}" "$FILE_PATH" 2>/dev/null; then
echo "🚨 SECURITY ALERT: Potential SSN detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
# 9. Phone numbers
echo "📞 Checking for phone numbers..."
if grep -E "\+?[1-9][0-9]{1,3}[\s-]?\(?[0-9]{3}\)?[\s-]?[0-9]{3}[\s-]?[0-9]{4}" "$FILE_PATH" 2>/dev/null; then
echo "⚠️ Phone numbers detected - verify if intentional"
WARNINGS=$((WARNINGS + 1))
fi
# Summary
echo ""
echo "📊 Security Scan Results:"
echo " • Critical Issues: $SECURITY_ISSUES"
echo " • Warnings: $WARNINGS"
if [ $SECURITY_ISSUES -gt 0 ]; then
echo ""
echo "🚨 CRITICAL SECURITY ALERT!"
echo "🛡️ Action Required:"
echo " • Review detected sensitive data immediately"
echo " • Remove or mask sensitive information"
echo " • Use environment variables for secrets"
echo " • Consider using a secrets management service"
echo " • Check if file should be added to .gitignore"
fi
if [ $WARNINGS -gt 0 ]; then
echo ""
echo "⚠️ Security Warnings:"
echo " • Review detected information for necessity"
echo " • Consider data privacy implications"
echo " • Verify compliance with data protection regulations"
fi
echo ""
echo "💡 Security Best Practices:"
echo " • Use environment variables for sensitive data"
echo " • Implement proper secrets management"
echo " • Add sensitive files to .gitignore"
echo " • Regular security audits of codebase"
echo " • Use code scanning tools in CI/CD"
echo ""
echo "🎯 Security scan complete!"
exit 0{
"hooks": {
"notification": {
"script": "./.claude/hooks/sensitive-data-alert-scanner.sh",
"matchers": [
"*"
]
}
}
}.claude/settings.local.json~/.claude/settings.json.claude/settings.json{
"hooks": {
"notification": {
"script": "./.claude/hooks/sensitive-data-alert-scanner.sh",
"matchers": ["*"]
}
}
}
#!/bin/bash
# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
# Only scan for Write and Edit operations
if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" ]]; then
exit 0
fi
echo "🔒 Sensitive Data Alert Scanner - Analyzing file for security risks..."
echo "📄 File: $FILE_PATH"
# Check if file exists and is readable
if [ ! -f "$FILE_PATH" ]; then
echo "⚠️ File not found: $FILE_PATH"
exit 0
fi
# Skip binary files
if file "$FILE_PATH" | grep -q binary; then
echo "ℹ️ Skipping binary file"
exit 0
fi
SECURITY_ISSUES=0
WARNINGS=0
echo "🔍 Scanning for sensitive data patterns..."
# 1. API Keys and Secrets
echo "🔑 Checking for API keys and secrets..."
API_PATTERNS=(
"api[_-]?key\s*[:=]\s*[\"'][^\"']{8,}[\"']"
"secret[_-]?key\s*[:=]\s*[\"'][^\"']{8,}[\"']"
"access[_-]?token\s*[:=]\s*[\"'][^\"']{10,}[\"']"
"private[_-]?key\s*[:=]\s*[\"'][^\"']{20,}[\"']"
"client[_-]?secret\s*[:=]\s*[\"'][^\"']{8,}[\"']"
)
for pattern in "${API_PATTERNS[@]}"; do
if grep -iE "$pattern" "$FILE_PATH" 2>/dev/null | grep -v -iE "(\*\*\*|example|placeholder|your[_-]|demo|test|fake|dummy)"; then
echo "🚨 SECURITY ALERT: Potential API key/secret detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
done
# 2. Password patterns
echo "🔐 Checking for password exposure..."
PASSWORD_PATTERNS=(
"password\s*[:=]\s*[\"'][^\"']{6,}[\"']"
"passwd\s*[:=]\s*[\"'][^\"']{6,}[\"']"
"pwd\s*[:=]\s*[\"'][^\"']{6,}[\"']"
)
for pattern in "${PASSWORD_PATTERNS[@]}"; do
if grep -iE "$pattern" "$FILE_PATH" 2>/dev/null | grep -v -iE "(\*\*\*|example|placeholder|your[_-]|demo|test|123456|password)"; then
echo "🚨 SECURITY ALERT: Potential password detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
done
# 3. Database connection strings
echo "🗄️ Checking for database credentials..."
if grep -iE "(mysql://|postgresql://|mongodb://|redis://).*:.*@" "$FILE_PATH" 2>/dev/null; then
echo "🚨 SECURITY ALERT: Database connection string with credentials detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
# 4. JWT tokens
echo "🎫 Checking for JWT tokens..."
if grep -E "eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+" "$FILE_PATH" 2>/dev/null; then
echo "🚨 SECURITY ALERT: JWT token detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
# 5. SSH private keys
echo "🔑 Checking for SSH private keys..."
if grep -q "BEGIN.*PRIVATE KEY" "$FILE_PATH" 2>/dev/null; then
echo "🚨 SECURITY ALERT: SSH private key detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
# 6. Email addresses (warning, not critical)
echo "📧 Checking for email addresses..."
if grep -E "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}" "$FILE_PATH" 2>/dev/null | head -3; then
echo "⚠️ Email addresses detected - ensure this is intentional"
WARNINGS=$((WARNINGS + 1))
fi
# 7. Credit card patterns (basic check)
echo "💳 Checking for credit card numbers..."
if grep -E "[0-9]{4}[\s-]?[0-9]{4}[\s-]?[0-9]{4}[\s-]?[0-9]{4}" "$FILE_PATH" 2>/dev/null; then
echo "🚨 SECURITY ALERT: Potential credit card number detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
# 8. Social Security Numbers (US format)
echo "🆔 Checking for SSN patterns..."
if grep -E "[0-9]{3}-[0-9]{2}-[0-9]{4}" "$FILE_PATH" 2>/dev/null; then
echo "🚨 SECURITY ALERT: Potential SSN detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
# 9. Phone numbers
echo "📞 Checking for phone numbers..."
if grep -E "\+?[1-9][0-9]{1,3}[\s-]?\(?[0-9]{3}\)?[\s-]?[0-9]{3}[\s-]?[0-9]{4}" "$FILE_PATH" 2>/dev/null; then
echo "⚠️ Phone numbers detected - verify if intentional"
WARNINGS=$((WARNINGS + 1))
fi
# Summary
echo ""
echo "📊 Security Scan Results:"
echo " • Critical Issues: $SECURITY_ISSUES"
echo " • Warnings: $WARNINGS"
if [ $SECURITY_ISSUES -gt 0 ]; then
echo ""
echo "🚨 CRITICAL SECURITY ALERT!"
echo "🛡️ Action Required:"
echo " • Review detected sensitive data immediately"
echo " • Remove or mask sensitive information"
echo " • Use environment variables for secrets"
echo " • Consider using a secrets management service"
echo " • Check if file should be added to .gitignore"
fi
if [ $WARNINGS -gt 0 ]; then
echo ""
echo "⚠️ Security Warnings:"
echo " • Review detected information for necessity"
echo " • Consider data privacy implications"
echo " • Verify compliance with data protection regulations"
fi
echo ""
echo "💡 Security Best Practices:"
echo " • Use environment variables for sensitive data"
echo " • Implement proper secrets management"
echo " • Add sensitive files to .gitignore"
echo " • Regular security audits of codebase"
echo " • Use code scanning tools in CI/CD"
echo ""
echo "🎯 Security scan complete!"
exit 0
Complete hook script that scans for sensitive data and alerts immediately
#!/bin/bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
if [[ "$FILE_PATH" == *.test.* ]] || [[ "$FILE_PATH" == *fixture* ]]; then
exit 0
fi
SECURITY_ISSUES=0
if grep -iE "api[_-]?key\s*[:=]\s*[\"'][^\"']{8,}[\"']" "$FILE_PATH" 2>/dev/null | grep -v -iE "(example|placeholder|your[_-]|demo|test)"; then
echo "🚨 SECURITY ALERT: Potential API key detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
if [ $SECURITY_ISSUES -gt 0 ]; then
exit 1
fi
exit 0
Complete hook configuration for .claude/settings.json to enable sensitive data scanning
{
"hooks": {
"notification": {
"script": "./.claude/hooks/sensitive-data-alert-scanner.sh",
"matchers": ["*"]
}
}
}
Enhanced hook script with file wait retry loop and .securityignore file support
#!/bin/bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -f ".securityignore" ] && grep -qF "$FILE_PATH" .securityignore; then
exit 0
fi
for i in {1..5}; do
[ -f "$FILE_PATH" ] && break
sleep 0.1
done
if [ ! -f "$FILE_PATH" ]; then
exit 0
fi
SECURITY_ISSUES=0
if grep -iE "password\s*[:=]\s*[\"'][^\"']{6,}[\"']" "$FILE_PATH" 2>/dev/null | grep -v -iE "(example|placeholder|your[_-]|demo|test|123456|password)"; then
echo "🚨 SECURITY ALERT: Potential password detected!"
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi
if [ $SECURITY_ISSUES -gt 0 ]; then
exit 1
fi
exit 0
Enhanced hook script that filters out commented lines before scanning for sensitive data
#!/bin/bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if grep -qE "^\s*[#/]" "$FILE_PATH" 2>/dev/null; then
CONTENT=$(awk '!/^\s*[#/]/' "$FILE_PATH" 2>/dev/null)
else
CONTENT=$(cat "$FILE_PATH" 2>/dev/null)
fi
if echo "$CONTENT" | grep -iE "api[_-]?key\s*[:=]\s*[\"'][^\"']{8,}[\"']" | grep -v -iE "(example|placeholder|your[_-]|demo|test)"; then
echo "🚨 SECURITY ALERT: Potential API key detected!"
exit 1
fi
exit 0
Example sensitive data scanner configuration for customizing scan behavior
{
"sensitive_data": {
"exclude_patterns": ["test/**", "**/fixtures/*", "*.test.*"],
"ignore_file": ".securityignore",
"alert_threshold": "high",
"patterns": {
"api_keys": true,
"passwords": true,
"tokens": true,
"credentials": true,
"pii": true
}
}
}
Exclusion patterns filter common placeholders but miss context-specific ones. Add .securityignore file and check: grep -qF "$FILE_PATH" .securityignore && exit 0 to whitelist specific files or patterns. Verify exclusion patterns. Test with various test file configurations.
Notification hooks fire during operation, not after. File may not exist yet. Add retry loop: for i in {1..5}; do [ -f "$FILE_PATH" ] && break; sleep 0.1; done before scanning to ensure file availability. Verify file existence. Test with various file write scenarios.
Notification hooks fire mid-operation with partial data. Input may lack file_path or use alternative fields. Extend jq filter: '.file_path // .tool_input.file_path // .path // ""' to handle schema variations across hook types. Verify input schema. Test with various hook types.
Current regex doesn't exclude comments. Add language-aware filtering: grep -v '^\s*[#/]' for basic comment detection, or use awk to skip comment blocks before pattern matching for comprehensive filtering. Verify comment filtering. Test with various comment styles.
Script always exits 0 regardless of SECURITY_ISSUES count. Change final exit: [ $SECURITY_ISSUES -gt 0 ] && exit 1 || exit 0 to fail hook on findings, forcing Claude to acknowledge security alerts before proceeding. Verify exit codes. Test with various security issue scenarios.
Refine regex patterns to be more specific. Add context-aware filtering: check for surrounding code context, variable names, or function signatures. Use negative lookahead patterns to exclude common false positives. Verify pattern specificity. Test with various code patterns.
Add binary file detection: if file "$FILE_PATH" | grep -q binary; then exit 0; fi before scanning. Use file command to detect binary files and skip them. Verify binary detection. Test with various file types.
Script may exit early on first match. Remove early exits and collect all matches before reporting. Use array to store all findings, then report all at once. Verify match collection. Test with multiple pattern matches.
Show that Sensitive Data Alert Scanner - Hooks is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/hooks/sensitive-data-alert-scanner)Sensitive Data Alert Scanner - Hooks side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
| Field | Scans for potential sensitive data exposure and alerts immediately. Open dossier | PreToolUse hook that scans the exact text Claude Code is about to write or edit for high-confidence secret formats (AWS access keys, GitHub tokens, OpenAI keys, Slack tokens, Google API keys, Stripe keys, and private key blocks) and blocks the write with a non-zero exit before the secret ever reaches disk. Open dossier | A Claude Code hook that flags files exceeding complexity thresholds after you edit them — estimating cyclomatic complexity, line and function counts, and nesting depth (via ESLint's complexity rule and Radon). Open dossier | Comprehensive Docker image vulnerability scanning with layer analysis, base image recommendations, and security best practices enforcement. This PostToolUse hook automatically scans Docker images for vulnerabilities when Dockerfiles are modified, providing real-time security validation during development. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed | Source-backed |
| SubmitterDiffers | — | jony376 | — | — |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | — | |
| Category | hooks | hooks | hooks | hooks |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | JSONbored | jony376 | JSONbored | JSONbored |
| Added | 2025-09-19 | 2026-06-04 | 2025-09-19 | 2025-10-19 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓Runs on notification events and scans recent tool input for patterns that resemble secrets or sensitive data. Produces alerts only and does not redact files, rotate credentials, or block the original tool action. Pattern-based detection can miss real secrets or flag harmless placeholders. | ✓Runs before every Write, Edit, and MultiEdit and reads the pending content from the tool input on stdin. Blocks the write with exit code 2 when a high-confidence secret pattern matches; no files are created, deleted, or modified by the hook itself. Uses regex heuristics, so it can produce false positives (block a non-secret) or false negatives (miss an obfuscated secret); treat it as a guardrail, not proof of safety. Makes no network calls and runs entirely locally. Safe for user-level settings only when the command points to a trusted script you installed under your home directory; do not configure global hooks to execute scripts from `$CLAUDE_PROJECT_DIR`. | ✓Runs after edits to JS/TS/Python files and prints advisory warnings only; the line/function/brace counts are heuristics, not a substitute for ESLint or Radon run on the full project. | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. |
| Privacy notes | ✓Reads hook input fields such as tool names, file paths, commands, and text snippets supplied to the notification event. May print matched sensitive-looking strings or surrounding context to local hook output. Does not send findings to a remote service in the bundled script. | ✓Reads the text about to be written but never prints the matched secret value; only the detected secret type and the target file path are written to stderr. Writes nothing to disk and retains no logs. The target file path shown in the message may reveal local directory structure in your terminal output. | ✓Reads the contents of files you edit to compute complexity locally; it prints warnings to hook output and does not transmit code, but those messages can reveal file structure. | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. |
| Prerequisites | — none listed |
| — none listed | — none listed |
| Install | | | | |
| Config | | | | |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
The documented Claude Code data-handling controls that matter for PHI-sensitive teams.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.