Hook environment isolation doesn't match documentation (secrets visible to hooks)

Resolved 💬 3 comments Opened Jan 19, 2026 by silentphil77 Closed Jan 19, 2026

Description

The changelog for v2.1.9 states:

"Hook scripts now run in isolated environment without parent shell variables"

However, testing on v2.1.12 shows that hooks receive the complete parent shell environment, including sensitive variables like API tokens and secrets.

Evidence

Captured environment from hook executions shows:

BWS_ACCESS_TOKEN=0.df4de2c5-****  (full Bitwarden Secrets token)
GITHUB_TOKEN=**** 
HOME=/home/user
PATH=... (full 4KB+ path)
USER=username

All 8 hook types tested (SessionStart, PreToolUse, PostToolUse, SubagentStart, SubagentStop, Stop, UserPromptSubmit, PermissionRequest) show identical behavior.

Understanding the Nuance

I understand that some environment inheritance is likely necessary:

  • PATH - hooks need to find executables (python, node, git)
  • HOME - hooks need to find config files
  • SHELL, USER - for subprocess spawning and permissions

Complete isolation would break most practical hooks.

The Concern

The issue is that secret variables are also passed:

  • *_TOKEN variables
  • *_SECRET variables
  • *_API_KEY variables
  • Any other credentials in the user's shell

Users reading the documentation may incorrectly assume their secrets are protected from hook scripts.

Suggestions

Option A: Update documentation

  • Remove or clarify the "isolated environment" claim
  • Add a security note that hooks can access parent environment
  • Recommend users avoid storing secrets in env vars if using hooks

Option B: Implement selective isolation

  • Strip variables matching secret patterns (TOKEN, SECRET, KEY, PASSWORD, API)
  • Whitelist necessary system vars (PATH, HOME, USER, SHELL, LANG, TERM)
  • Optionally allow hooks to request full env access

Test Methodology

  1. Created capture hook that logs os.environ to file
  2. Registered for all hook events in settings.json
  3. Ran normal Claude Code session
  4. Analyzed 65+ capture files across all hook types

Environment

  • Claude Code version: 2.1.12
  • Platform: Linux (WSL2 Ubuntu 24.04)

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗