PreToolUse hooks can be bypassed via @file mention context injection

Resolved 💬 4 comments Opened Mar 17, 2026 by dorukhansergin Closed Mar 17, 2026

Summary

PreToolUse hooks on Read/Edit/Bash tools do not protect against file contents being injected into context via the @filename mention feature. This creates a gap in hook-based file access controls.

Steps to reproduce

  1. Add a PreToolUse hook in .claude/settings.json that blocks reads of a sensitive file (e.g. terraform.tfvars):
{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Read|Edit|Bash",
        "hooks": [
          {
            "type": "command",
            "command": "check if path contains the sensitive filename and exit 2 if so"
          }
        ]
      }
    ]
  }
}
  1. In the chat, type read @<sensitive-file> or simply mention @<sensitive-file>.
  2. The file contents are injected into the conversation context and shown to Claude — the hook is never invoked.

Expected behavior

Either:

  • The @file mention should be subject to the same hook evaluation as the Read tool, or
  • The docs should clearly state that hooks only cover tool calls and that @file mentions are an unrestricted user-driven injection path.

Actual behavior

The file contents bypass the hook entirely because @file is resolved before the message reaches Claude — no tool call is made, so no hook fires. Claude receives the file contents as part of the user message.

Use case / motivation

Teams use PreToolUse hooks to prevent Claude from accessing sensitive files (secrets, credentials, .tfvars with API tokens). The @file bypass makes this control ineffective if users accidentally use @ mentions for protected files.

Environment

  • Claude Code CLI
  • Hook type: PreToolUse
  • File injection path: @filename chat mention

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗