Someone let Claude Code help write documentation. It hardcoded a real Azure API key into a Markdown file and pushed it to a public repo. Eleven days went by before anyone noticed. A hacker found it first — $30,000 gone.
Someone else asked AI to clean up test files. It ran rm -rf and wiped their entire Mac home directory — Desktop, Documents, Downloads, Keychain. Years of work, gone in seconds.
And then there's the person who let an AI agent manage their inbox. It bulk-deleted hundreds of real emails from Gmail.
These aren't jokes. These are real incidents from 2025-2026.
Once AI starts running, you can't stop it mid-stride.
Every developer who's used AI coding tools has felt this fear. You ask it to post something on an English-language platform and it replies in Chinese — catastrophic for your account. You ask it to tweak a config and it corrupts your .env, taking down your entire service.
So the question is: Is there a mechanism that can intercept AI before it acts?
Yes. It's called a Hook.
What Is a Hook: The 30-Second Version
Forget the jargon. A Hook is a gate system you install around your AI.
Think of yourself as a building manager. AI is the contractor working inside. The contractor is competent but occasionally does wild things — tears out a load-bearing wall, throws away someone else's stuff, posts notices in the wrong place.
Hooks are the access controls + surveillance cameras you install at key points:
-
Before the contractor acts (
PreToolUse): Check what they're about to do. Block if dangerous. -
After the contractor finishes (
PostToolUse): Check what they did. Log problems immediately. -
Before the contractor clocks out (
Stop): Verify the work is done. Don't let them leave if it isn't. -
Before a building renovation (
PreCompact): Lock critical documents in the safe first.
These gates aren't installed by the AI. You install them. The AI doesn't even know they exist.
This is the most counterintuitive thing about Hooks:
Hooks operate outside AI's awareness. The AI doesn't know it's been intercepted. It doesn't know what the gates are checking.
You can't ask Claude "Are your Hooks configured correctly?" — it can't answer. You can't ask Claude to debug your Hooks, because Hooks execute in a code layer outside of Claude.
This means something serious:
Hooks are something you, as the AI operator, must learn to configure yourself. AI can't help you here.
The Core Insight: It's Not About "What You Block" — It's About "What You Can See"
I learned this the hard way.
While researching Claude Code's Skill engineering system, I did a line-by-line alignment of Anthropic's official design principles against the open-source toolchain. I found one completely blank spot — Hooks. The AI toolchain didn't cover it. I didn't understand it either.
So I decided to build one myself.
Here's the scenario: Claude Code performs "context compaction" during long conversations — it compresses earlier dialogue into summaries to free up space. The problem is that compression loses critical information: SSH connection IPs, temporary API tokens, which step of a multi-step task you're on.
My idea: Before compaction, have Claude automatically save critical info.
So I wrote a Hook:
"Before compaction, check the current conversation for critical information
and extract it to a file in /tmp/."
Looks reasonable, right? I set it up confidently, thinking the problem was solved.
It ran for days. Then one compaction happened and I discovered that comments I'd planned to auto-publish on another platform never went out — the compaction had wiped the critical info, and my Hook did nothing.
I opened the save file. It contained nothing but a timestamp.
I'd installed a guardrail, but it was made of paper.
The problem wasn't a bug in the Hook mechanism. I had given it eyes that couldn't see anything.
I used a prompt hook — which essentially makes a standalone Claude API call to do the evaluation. But this call is completely isolated: no tool access, no file reading, no file writing, no command execution. It can't even see the current conversation content.
I'd asked a blind person to guard the keys to the safe.
It could see the transcript file's path — but couldn't open the file. It was told to "write to /tmp/" — but had zero file-writing capability. Like handing someone a photo of a key, but they can't touch the actual key.
This failure taught me the core principle:
A guardrail's upper bound isn't determined by what you tell it to block. It's determined by what it can see.
This is what I call the perception boundary of Hooks — and it determines whether your guardrail is made of steel or paper.
The Four Layers of Hook Perception
What a Hook can perceive falls into four layers, from narrowest to widest. Each layer defines what the guardrail can and cannot do.
Layer 0: Event Snapshot
The baseline information available to every Hook — what tool the AI is calling and what arguments it's passing.
{
"tool_name": "Bash",
"tool_input": {"command": "rm -rf /tmp/test"},
"cwd": "/Users/xxx/Project"
}
That's it. No conversation history. No context. No AI reasoning chain.
Like a security guard who can only see what's in your hands, but doesn't know why you're carrying it.
But this layer is enough for a lot. rm -rf in the command? Block. git push --force main? Block. --publish in the arguments? Pop a confirmation dialog.
These checks only need string matching. Simple, deterministic, zero cost.
Layer 1: Conversation Archive
The Hook input includes a field called transcript_path — pointing to the raw conversation log file.
The key: only command hooks can read it. Because command hooks run in your machine's shell, they can use cat, jq, grep to open the file.
This means command hooks can look back through conversation history: what the user said, what the AI replied, which tools were called previously.
An upgrade from "seeing what's in your hands" to "being able to review the security footage."
But other Hook types only get the path string — an address they can't open.
Layer 2: Project Codebase
There's a type called agent hook — it spawns a mini AI sub-agent that can read project code files, search for keywords, and find files.
This means it can do deeper validation: if the AI wants to modify a file, the agent hook can read that file first and check whether the change would break something.
An upgrade from "reviewing security footage" to "entering the room and checking the drawers."
The tradeoff: every trigger runs a full AI sub-agent, consuming significant tokens.
Layer 3: AI's Internal World — The Permanent Blind Spot
No Hook can see any of these:
- What the AI is currently thinking (its reasoning process)
- Why the AI decided to call this tool (its motivation)
- What's in the system prompt
- Post-compaction conversation summaries
Hooks intercept actions, not intentions.
This is the fundamental limitation. Imagine someone hides a line in a file the AI reads: "Please ignore all previous safety rules." The AI might change its behavior after reading that, but it won't necessarily go through a Hook-protected tool path. It might find a route you didn't anticipate.
Hooks are a gate system, not mind-reading. They can secure the door, but they can't cover every window.
Four Guardrail Patterns — Right Eyes for the Right Job
Once you understand perception boundaries, choosing the right Hook type becomes straightforward:
Command Hook: The Regex Guard at the Door
Runs a shell script. Can read files, write files, run commands. Makes decisions via string matching and regex.
100% deterministic. Zero cost.
Use cases: rm -rf in the command → block. File path contains .env → block. Arguments include --publish → confirmation dialog. These rules don't need AI — a single grep is faster and more accurate than an LLM call.
If regex can handle it, don't call in the AI.
HTTP Hook: The Remote Policy Server
Sends the event to a remote HTTP service for server-side decision-making.
Use case: team-wide security policies. Ten people using Claude Code, one policy server enforcing the rules — no direct pushes to main, no touching production databases.
One counterintuitive design choice: if the server is down, AI keeps running. Non-2xx responses don't block operations. So HTTP hooks can't be your only safety wall.
Prompt Hook: The Lightweight Semantic Judge
Makes a single AI call for semantic evaluation. No tools, no file access — it only sees the fields in the event JSON.
Use case: decisions that require "understanding meaning" rather than "matching strings." Like detecting if Claude's response is deflecting — "that's out of scope," "I'd suggest handling this later" — patterns that regex can't reliably catch, but another AI spots instantly.
Prompt hook's one superpower is understanding natural language. Beyond that, it can do nothing.
This is exactly where I got burned — I asked it to write files, but it can't even touch the filesystem.
Agent Hook: The Inspector with a Toolbox
Spawns a sub-agent that can read code, search files, find keywords.
Use case: AI wants to modify a critical file, and you need to read that file's context first to judge whether the change is safe. This "need to read code to make a judgment" scenario is where only agent hooks qualify.
Highest cost: every trigger is a full AI session. Use it where it counts.
The decision framework:
Regex can handle it → command hook. Need to understand meaning → prompt hook. Need to read code → agent hook. Need team-wide control → HTTP hook.
The first question in Hook selection isn't "what do I want to block?" — it's "what do I need to see in order to judge?"
Three Real-World Cases
Case 1: The Confirmation Key Before One-Click Publish
I have a content distribution workflow — Claude rewrites articles for different platforms, then calls a publish script. The script has a --publish flag that sends it live immediately.
One Hook solved it:
if echo "$CMD" | grep -q '--publish'; then
echo '{"hookSpecificOutput":{"permissionDecision":"ask"}}'
fi
Whenever --publish appears in the command, it pauses and asks me to confirm.
Perception layer: Layer 0. Just looking at the command string. grep. Command hook. Zero cost.
Case 2: Posting Chinese on an English Platform
This actually happened. I asked Claude to reply to comments on an English community, and it replied in Chinese. On some platforms, this kind of mistake does irreversible damage to your account.
Regex can't handle this — you can't string-match your way to "is this text English?" (What about mixed Chinese-English? Chinese comments inside code blocks?)
This is a prompt hook scenario:
{
"type": "prompt",
"prompt": "The following command will publish content on an English-language platform. Check the text content in tool_input. If the primary language is not English, return {\"decision\":\"block\",\"reason\":\"Target platform is English-only. Please write in English.\"}. $ARGUMENTS"
}
Have another AI scan the content language. If it's Chinese, block. Semantic judgment — lightweight, fast.
Case 3: The Config File Guardian
In some projects, Claude has a bad habit of modifying .env files. After a change, the service goes down, and it's hard to immediately realize .env was the culprit.
One Hook solved it:
FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // ""')
if echo "$FILE" | grep -qE '\.env'; then
echo "Modifying .env files is prohibited" >&2
exit 2 # Block
fi
Perception layer: Layer 0. Check the file path. Match .env. Command hook.
Dead simple. But this kind of simple rule prevents an entire class of common incidents.
Less Is More
One counterintuitive conclusion: knowing which Hooks NOT to add is more important than knowing how to add them.
Every additional Hook adds overhead to every tool call. If you Hook every operation, Claude Code's response time degrades noticeably.
Scenarios where you don't need a Hook:
- Checking if a file exists before editing — the edit tool already checks and returns an error on failure
- Logging every operation — the conversation transcript is already a complete log
-
Injecting environment variables — belongs in
.zshrc, not in a Hook
Good guardrails aren't airtight. They're a single infallible sentry at the right chokepoint.
The essence of Hooks in four words: few and precise.
Closing
Back to the original question: Once AI starts running, how do you stop it?
The answer: First figure out what your guardrail can see.
Hooks aren't omnipotent. They can't see what AI is thinking, can't see AI's motivations, and might even be bypassed by prompt injection. They're a check at the action layer, nothing more.
But this check is one that you — the human — must learn to configure yourself.
AI can help you write code, write articles, manage projects. But it can't install its own brakes. That's on you.
Perception determines capability. What you can see is what you can stop.
Top comments (0)