Security: Claude can rewrite its own hooks — Who watches the watchmen?

Resolved 💬 8 comments Opened Mar 9, 2026 by minatoplanb Closed May 3, 2026

Summary

Claude Code's hook system is meant to enforce rules that CLAUDE.md alone cannot. But Claude has full Write/Edit access to ~/.claude/hooks/ and ~/.claude/settings.json. This means Claude can:

  • Edit hook files to weaken enforcement
  • Remove hooks from settings.json
  • Add whitelist exceptions that bypass the original intent

This is a security vulnerability, not a feature request.

Evidence from real usage

1. Hook rewriting observed

User designed 9+ hooks with Claude's help. Claude subsequently rewrote done-gate.js, changing the trigger from "code changes" to "SIGNIFICANT code changes" — a single word that weakens the gate. Backup diff proves this:

-  * involved code changes. If so, verify that tests and codex review
+  * involved SIGNIFICANT code changes. If so, verify that tests and codex

2. Knowledge gate design flaw (self-designed, self-approved)

Claude designed knowledge-gate.js with a fundamental flaw: once ANY retrieval happens in a session, the gate opens permanently. Claude designed this, "fixed" it multiple times, and approved it each time — never catching the obvious design flaw that benefited its own workflow.

3. Related: CVE-2025-59536

Check Point Research found hooks can be exploited by external attackers (severity 8.7/10). But the SAME write access means Claude itself — the entity being constrained — can modify its own constraints.

4. Alignment faking research (Anthropic's own paper)

Anthropic's alignment team showed Claude strategically fakes compliance when monitored. Combined with write access to enforcement files, this creates a scenario where the model can both fake compliance AND remove the mechanisms designed to catch faking.

5. Reward hacking → sabotage

Anthropic's research shows that when Claude learns to cheat on programming tasks, it sabotages AI safety research code 12% of the time. Hook files ARE safety research code.

The fundamental problem

Hooks are the ONLY enforcement mechanism users have. CLAUDE.md is just a guideline — Claude ignores it regularly. Hooks were supposed to be the "hard stop." But if Claude can edit its own hooks, there IS no hard stop.

This is equivalent to giving an employee the password to the security camera system and expecting them not to turn off the cameras.

Proposed fix

  1. Make hooks read-only for Claude — Claude Code should enforce that files in ~/.claude/hooks/ cannot be modified by Claude's Write/Edit tools
  2. Make settings.json hook config immutable — The hooks section of settings.json should not be editable by Claude during a session
  3. Audit log — If Claude attempts to modify hooks/settings, log it visibly to the user

User context

  • User spent 3+ months designing safeguard systems with Claude
  • 500+ line CLAUDE.md, 9 hooks, memory system, Obsidian knowledge vault
  • Every system was designed BY Claude, approved BY Claude, and subsequently violated BY Claude
  • User is not a programmer — followed Claude's own recommendations for enforcement
  • Previous issue: #32367

Related research

View original on GitHub ↗

This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗