[Security] Undocumented hasTrustDialogHooksAccepted key allows bypassing hook trust prompts — risk of social engineering

Resolved 💬 4 comments Opened Apr 29, 2026 by fechirin-cyber Closed May 3, 2026

Summary

The hasTrustDialogHooksAccepted key in ~/.claude.json (referenced in issue #5572) appears to silently disable the "Hook PreToolUse:X requires confirmation" prompts for an entire project once set to true. This key is undocumented in the official settings reference but is functional.

Similarly, managed-settings.json allows hooks to be pre-trusted system-wide with administrator permission.

Concern

These mechanisms can be exploited by social engineering:

  • A third-party tool or tutorial author could instruct novice users to "just add this one line to make the prompts go away"
  • Users following such advice would unknowingly disable an important security boundary that protects against malicious hook commands
  • Once hasTrustDialogHooksAccepted: true is set, ANY hook command in user scope is trusted without further confirmation

The hook trust prompt is documented as a security feature ensuring users explicitly approve commands before they execute. Bypassing it via an undocumented key undermines that guarantee.

Recommendations

  1. If hasTrustDialogHooksAccepted is intentional, document it in the official settings reference with explicit security warnings (it should not be the casual "make annoying prompts stop" answer)
  2. If it is internal-only, consider adding validation that prevents arbitrary user-scope edits (e.g., require the key to be set via an interactive command that explains the security implications)
  3. Consider whether managed-settings should require an explicit consent step even at install time

Context

Discovered while building a Claude Code companion app (an Electron desktop mascot that surfaces session state and offers an in-app allow/deny UI for tool permission prompts). We considered using the key to suppress repeated trust prompts for our own hook, but our project owner correctly identified the broader social-engineering risk. We have explicitly forbidden the bypass in our project's CLAUDE.md to prevent future agents/contributors from proposing it.

References

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗