Security hook blocks legitimate mentions in documentation files
Resolved 💬 3 comments Opened Oct 22, 2025 by steinster Closed Jan 8, 2026
Summary
The security-guidance plugin's pre-tool-use hook blocks security-related terms (like eval(, exec(, innerHTML, etc.) in all files, including documentation files like .md, .txt, and .html. This prevents developers from writing documentation about security best practices.
Steps to Reproduce
- Enable the
security-guidanceplugin - Try to edit a
.mdfile that contains the text "eval(" (e.g., documenting security vulnerabilities) - The security hook blocks the edit with:
⚠️ Security Warning: eval() executes arbitrary code...
Expected Behavior
- Security hooks should block dangerous patterns in code files (
.js,.ts,.py, etc.) - Security hooks should allow these terms in documentation files (
.md,.txt,.rst,.html, etc.)
Current Behavior
All content-based security checks trigger regardless of file type, preventing legitimate documentation about security topics.
Affected File
plugins/security-guidance/hooks/security_reminder_hook.py
Specifically the check_patterns function (lines ~183-199) performs substring matching without checking if the file is documentation.
Proposed Solution
Modify the check_patterns function to skip content-based checks for documentation files:
def check_patterns(file_path, content):
"""Check if file path or content matches any security patterns."""
# Normalize path by removing leading slashes
normalized_path = file_path.lstrip("/")
# Documentation file extensions that should skip content-based security checks
doc_extensions = ['.md', '.txt', '.rst', '.adoc', '.asciidoc', '.html', '.htm']
is_documentation = any(normalized_path.endswith(ext) for ext in doc_extensions)
for pattern in SECURITY_PATTERNS:
# Check path-based patterns
if "path_check" in pattern and pattern["path_check"](normalized_path):
return pattern["ruleName"], pattern["reminder"]
# Check content-based patterns (skip for documentation files)
if "substrings" in pattern and content and not is_documentation:
for substring in pattern["substrings"]:
if substring in content:
return pattern["ruleName"], pattern["reminder"]
return None, None
Why This Matters
- Documentation should be able to discuss security patterns
- The fix maintains security (still checks code files)
- Path-based checks (like GitHub Actions workflows) remain intact
Environment
- Claude Code version: Latest
- OS: Windows 10
- Plugin: security-guidance (from official marketplace)
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗