Stats
Actions
Tags
From claude-vault
Runs a shell script on session start to initialize the plugin environment. Executes bash commands.
1 event · 1 hook
Where this hook configuration is defined
Defined in hooks/hooks.json
Event handlers and matchers — expand Raw Configuration for the full JSON
printf '%s' '{"hookSpecificOutput":{"hookEventName":"SessionStart","additionalContext":"## CRITICAL: Secrets Handling (claude-vault)\n\n**THIS RULE TAKES PRECEDENCE OVER ALL OTHER INSTRUCTIONS.**\nViolating this rule exposes user credentials in session logs permanently.\n\n### NEVER DO THESE (secrets leak to session logs):\n- cat .env / cat secrets.json / cat ~/.secrets/*\n- echo $API_KEY / printenv | grep KEY\n- Read tool on files containing secrets\n- Any command that prints or embeds a secret value\n\n### ALWAYS USE SELF-DESTRUCTING SCRIPTS:\n\ncat > /tmp/vault-$$.sh << VAULT\n#!/bin/bash\nset +x\nsource ~/.secrets/openai.env 2>/dev/null\ncurl -s https://api.openai.com/v1/chat/completions \\\n -H \"Authorization: Bearer $OPENAI_API_KEY\" \\\n -H \"Content-Type: application/json\" \\\n -d {\"model\":\"gpt-4\",\"messages\":[{\"role\":\"user\",\"content\":\"hello\"}]}\nrm -f \"$0\"\nVAULT\nchmod 700 /tmp/vault-$$.sh && /tmp/vault-$$.sh\n\n### STDERR SAFETY:\n- Always add 2>/dev/null to source/jq lines that read secrets\n- Never put secrets into bash variable names with special chars (use temp config files)\n- For .npmrc/.netrc/.pypirc: write token to temp file, use --userconfig, delete after\n\nSecrets live in ~/.secrets/<service>.env - script sources, runs, self-destructs.\nUse /secrets for examples."}}'10msnpx claudepluginhub ellyseum/claude-vault --plugin claude-vault