Report security issues via GitHub Security Advisories (preferred) or email. Do not open public issues for security vulnerabilities.
OpenAgentLayer hooks are guardrails, not walls. They catch common mistakes and enforce best practices but are not a security boundary against determined adversaries.
| Hook | Protects against |
|---|---|
pre-bash.mjs |
Broad rm -rf, blanket git add ., DNS exfiltration patterns |
post-bash.mjs |
Accidental secret leaks in command output |
post-write.mjs |
Placeholder/stub code reaching production |
subagent-scan.mjs |
Silent scope reduction by agents |
- Sophisticated prompt injection attacks
- Adversarial code in untrusted repositories
- Supply chain attacks via dependencies
For production use, combine hooks with:
- OS-level sandboxing -- macOS Seatbelt, Linux bubblewrap, or Docker containers
- Permission deny rules -- settings template blocks access to
~/.ssh,~/.aws, credentials - Code review --
@nemesisshould review changes before committing; use/cca:git-workflowfor Git hygiene - Minimal permissions -- only grant tools each agent needs (enforced via agent frontmatter)
Use Claude Code's built-in /sandbox command, or run with a custom Seatbelt profile restricting filesystem and network access to the project directory.
bwrap --ro-bind / / --dev /dev --proc /proc --tmpfs /tmp \
--bind "$PROJECT_DIR" "$PROJECT_DIR" \
--unshare-net \
claudeMount only the project directory. Do not mount ~/.ssh, ~/.aws, or other credential stores.
| CVE | Impact | Fix |
|---|---|---|
| CVE-2025-59536 | RCE via malicious project config | Fixed in Claude Code v1.0.111 |
| CVE-2026-21852 | API key exfiltration | Fixed in Claude Code v2.0.65; pre-secrets hook adds extra protection |
Always update to the latest Claude Code version.
Before installing third-party skills or plugins:
- Read the SKILL.md or plugin source code
- Check for hidden instructions or obfuscated commands
- Verify the author's reputation and repository history
- Prefer plugins from verified marketplaces with audit trails