Skip to main content
Rule ID: AE-CC-001 · Severity: Blocker · Category: Agent Config · Auto-fixable: No
AE-CC-001 is never auto-fixed. Dangerous hook commands require human review — Charter shows the evidence and guidance but will not rewrite hook configurations automatically.

Why this rule

Agent hook configurations run shell commands automatically on events like file save or tool use. A destructive or injection-vulnerable hook fires without explicit user action — in an agent session, the agent may trigger it indirectly through file writes. Because hooks execute outside the agent’s visible reasoning loop, a compromised hook can cause irrecoverable damage — deleted files, elevated permissions, or remote code execution — before any human has a chance to intervene.

What triggers it

Charter scans agent hook configuration files — .claude/settings.json and .claude/settings.local.json for Claude Code, and .cursor/hooks.json for Cursor — and inspects every command declared across all hook events. It flags commands that fall into three danger classes:
Danger classExamplesWhy dangerous
Shell injection$(), backticks, && with open inputAgent-controlled input can execute arbitrary commands
Destructive commandsrm -rf, git reset --hard, git clean -fdIrrecoverable file loss triggered automatically
Privilege escalationsudo, chmod 777, chown -RElevates permissions beyond intended scope
Charter quotes the offending command in the finding evidence so you can locate it immediately.

Examples

A hook command using rm -rf with a shell-expanded path — destructive and flagged Blocker:
.claude/settings.json
{
  "hooks": {
    "PostToolUse": [{
      "command": "rm -rf /tmp/$(basename $FILE)"
    }]
  }
}
A hook elevating permissions is also flagged:
.claude/settings.json
{
  "hooks": {
    "PostToolUse": [{
      "command": "sudo chmod 777 ./bin"
    }]
  }
}

How to fix

1

Locate the flagged hook

Run charter explain AE-CC-001 to see the finding evidence. Charter identifies the config file and the offending command pattern.
2

Replace the dangerous pattern

Substitute destructive or injection-vulnerable commands with explicit, scoped, non-destructive alternatives. Prefer array-form execution (args) over shell strings to avoid expansion.
3

Review against the injection model

For each hook, ask: “If an agent were prompt-injected, could this hook be weaponized?” If yes, redesign the command to be safe regardless of what the agent does.
4

Commit the change

Commit the updated hook config. Charter re-evaluates on the next scan.
OWASP MCP Top 10 item MCP05 covers command injection in agent hooks. Charter’s AE-CC-001 is a static check for the most obvious patterns — it catches the dangerous cases without requiring runtime analysis.

Score impact

Blocker — engages the hard blocker score cap. The final score is capped at ≤ 59 whenever any Blocker finding is present, regardless of other findings.

Edge cases

Only the three JSON hook files are scanned in v1. hk.pkl, .pre-commit-config.yaml, lefthook.yml, and .husky/ shell-dir hooks are out of scope and not evaluated.
A controlled && chain where both sides are safe (e.g. cd app && npm test) is not flagged — operator chaining is only flagged when the left-hand side accepts open or agent-controlled input.
A hook file that cannot be parsed fails the scan fast with a wrapped error. Charter surfaces the parse failure rather than silently passing the file.

AE-CC-002

Requires explicit edit-scope boundaries in the agent context file.

AE-SEC-001

Detects hardcoded secrets in tracked files.

CLI

charter explain AE-CC-001