PostToolUse hooks: support updatedBuiltinToolOutput for built-in tools

Resolved 💬 7 comments Opened Mar 20, 2026 by kyle-aungst Closed Apr 28, 2026

Summary

PostToolUse hooks can replace MCP tool output via updatedMCPToolOutput, but there is no equivalent for built-in tools (WebFetch, WebSearch, Bash, Read, etc.). When scanning external content for prompt injection, this means MCP tool output can be sanitized/replaced, but built-in tool output can only have warnings injected alongside it.

Use case

Security scanning hooks that detect prompt injection in WebFetch responses currently cannot replace the malicious content before the model sees it. They can only add warnings via "decision": "block" (which injects a reason string) or additionalContext. The original malicious content still reaches the model.

For MCP tools, updatedMCPToolOutput solves this cleanly: the hook replaces the output with a sanitized version.

Proposal

Add updatedBuiltinToolOutput (or similar) to the PostToolUse hook contract, allowing hooks to replace the tool result for built-in tools the same way updatedMCPToolOutput works for MCP tools.

This would enable:

  • Replacing WebFetch output with quarantine-extracted content
  • Stripping malicious payloads from Bash command output
  • Consistent security scanning across all tool types

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗