PreToolUse hooks can be bypassed via @file mention context injection
Resolved 💬 4 comments Opened Mar 17, 2026 by dorukhansergin Closed Mar 17, 2026
Summary
PreToolUse hooks on Read/Edit/Bash tools do not protect against file contents being injected into context via the @filename mention feature. This creates a gap in hook-based file access controls.
Steps to reproduce
- Add a
PreToolUsehook in.claude/settings.jsonthat blocks reads of a sensitive file (e.g.terraform.tfvars):
{
"hooks": {
"PreToolUse": [
{
"matcher": "Read|Edit|Bash",
"hooks": [
{
"type": "command",
"command": "check if path contains the sensitive filename and exit 2 if so"
}
]
}
]
}
}
- In the chat, type
read @<sensitive-file>or simply mention@<sensitive-file>. - The file contents are injected into the conversation context and shown to Claude — the hook is never invoked.
Expected behavior
Either:
- The
@filemention should be subject to the same hook evaluation as theReadtool, or - The docs should clearly state that hooks only cover tool calls and that
@filementions are an unrestricted user-driven injection path.
Actual behavior
The file contents bypass the hook entirely because @file is resolved before the message reaches Claude — no tool call is made, so no hook fires. Claude receives the file contents as part of the user message.
Use case / motivation
Teams use PreToolUse hooks to prevent Claude from accessing sensitive files (secrets, credentials, .tfvars with API tokens). The @file bypass makes this control ineffective if users accidentally use @ mentions for protected files.
Environment
- Claude Code CLI
- Hook type:
PreToolUse - File injection path:
@filenamechat mention
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗