Security hook blocks legitimate mentions in documentation files

Resolved 💬 3 comments Opened Oct 22, 2025 by steinster Closed Jan 8, 2026

Summary

The security-guidance plugin's pre-tool-use hook blocks security-related terms (like eval(, exec(, innerHTML, etc.) in all files, including documentation files like .md, .txt, and .html. This prevents developers from writing documentation about security best practices.

Steps to Reproduce

  1. Enable the security-guidance plugin
  2. Try to edit a .md file that contains the text "eval(" (e.g., documenting security vulnerabilities)
  3. The security hook blocks the edit with: ⚠️ Security Warning: eval() executes arbitrary code...

Expected Behavior

  • Security hooks should block dangerous patterns in code files (.js, .ts, .py, etc.)
  • Security hooks should allow these terms in documentation files (.md, .txt, .rst, .html, etc.)

Current Behavior

All content-based security checks trigger regardless of file type, preventing legitimate documentation about security topics.

Affected File

plugins/security-guidance/hooks/security_reminder_hook.py

Specifically the check_patterns function (lines ~183-199) performs substring matching without checking if the file is documentation.

Proposed Solution

Modify the check_patterns function to skip content-based checks for documentation files:

def check_patterns(file_path, content):
    """Check if file path or content matches any security patterns."""
    # Normalize path by removing leading slashes
    normalized_path = file_path.lstrip("/")

    # Documentation file extensions that should skip content-based security checks
    doc_extensions = ['.md', '.txt', '.rst', '.adoc', '.asciidoc', '.html', '.htm']
    is_documentation = any(normalized_path.endswith(ext) for ext in doc_extensions)

    for pattern in SECURITY_PATTERNS:
        # Check path-based patterns
        if "path_check" in pattern and pattern["path_check"](normalized_path):
            return pattern["ruleName"], pattern["reminder"]

        # Check content-based patterns (skip for documentation files)
        if "substrings" in pattern and content and not is_documentation:
            for substring in pattern["substrings"]:
                if substring in content:
                    return pattern["ruleName"], pattern["reminder"]

    return None, None

Why This Matters

  1. Documentation should be able to discuss security patterns
  2. The fix maintains security (still checks code files)
  3. Path-based checks (like GitHub Actions workflows) remain intact

Environment

  • Claude Code version: Latest
  • OS: Windows 10
  • Plugin: security-guidance (from official marketplace)

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗