PreToolUse hook: optional field to display a prominent warning string above the command in the permission dialog

Open 💬 2 comments Opened May 28, 2026 by NicolasGlueck

Problem

When a PreToolUse hook returns permissionDecision: "ask", the permissionDecisionReason is shown small and greyed-out below the command in the permission dialog. For destructive operations this is easy to overlook — a user scanning quickly may approve a rm -rf or DROP DATABASE without registering what the command actually does, especially when the command is long or wrapped (e.g. inside an ssh "..." string).

The reason text is the right mechanism, but its position (below the command) and styling (small, grey) work against its safety purpose. The most important information — what kind of action this is — should be the first thing the user sees.

Proposed solution

Add an optional output field to the PreToolUse hook response that, if present, is rendered prominently and above the command in the permission dialog (e.g. bold/colored, like a warning banner). Suggested name: warningBanner.

{
  "hookSpecificOutput": {
    "hookEventName": "PreToolUse",
    "permissionDecision": "ask",
    "permissionDecisionReason": "Deletes files older than 10 days in /tmp",
    "warningBanner": "⚠ DELETE"
  }
}

Why optional / non-breaking

  • Opt-in; hooks that don't set it behave exactly as today.
  • It does not let hooks redesign the dialog or relabel buttons — only adds a single prominent string, so it cannot disguise a dangerous action as harmless.
  • It directly serves the safety intent of the permission prompt.

Use case

I run a PreToolUse hook that flags destructive commands (rm, DROP, TRUNCATE, docker volume rm, etc.) and asks for confirmation. Detection works, but the action type only appears small/grey below the command, so it is easy to approve without really reading it — particularly for commands wrapped inside ssh "..." where the destructive keyword is buried in a long string

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗