PreToolUse hooks may not fire for subagent (Agent tool) Bash calls
Description
PreToolUse hooks configured in .claude/settings.json may not be triggered when a subagent (spawned via the Agent tool) executes Bash commands. Only Bash calls from the main conversation appear to be intercepted.
Setup
// .claude/settings.json
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "bash .claude/hooks/pre-commit-check.sh",
"timeout": 60
}
]
}
]
}
}
Expected behavior
When a subagent (e.g., lead-programmer, infra, or any agent spawned via the Agent tool) runs git commit through the Bash tool, the PreToolUse hook should fire and execute pre-commit-check.sh, just as it does for Bash calls in the main conversation.
Actual behavior
The hook appears to not fire for subagent Bash calls. This means:
- Pre-commit checks (linting, secret scanning, etc.) can be silently bypassed
- Security-critical hooks (e.g., blocking commits containing API keys) are ineffective when agents do the committing
Impact
This is a security concern. Users relying on PreToolUse hooks to prevent accidental secret leaks (API keys, tokens, credentials) in commits have a false sense of security, since the majority of commits in agent-heavy workflows are made by subagents, not the main conversation.
Environment
- Claude Code on Windows 10 (bash shell)
- Using Agent tool with
subagent_type(lead-programmer, infra, etc.) - Hooks defined in project-level
.claude/settings.json
Workaround
None known. Even if the hook is duplicated to .claude/settings.local.json, it does not appear to change the behavior for subagents.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗