[FEATURE] Tool result transform hook for content sanitization

[evilfurryone]

Preflight Checklist

• I have searched existing requests and this feature hasn't been requested yet
• This is a single feature request (not multiple features)

Problem Statement

The Architectural Gap

Claude Code's hook system provides PreToolUse (before tool execution) and PostToolUse (after successful completion) hooks. However, there is a critical gap: no hook can intercept and transform tool results before they enter Claude's context window.

This matters because prompt injection attacks via external content are a documented, exploited vulnerability class affecting all major AI assistants:

Product	Vulnerability	Disclosure Date	Source
Claude Cowork	Data exfiltration via Anthropic API	Jan 2026	PromptArmor / Embrace The Red
Microsoft Copilot	Reprompt attack (P2P injection)	Jan 2026	Varonis Threat Labs
Slack AI	Private channel exfiltration	Aug 2024	PromptArmor
Notion AI	Pre-approval data exfiltration	Jan 2026	PromptArmor
Google Antigravity	Credential theft via browser agent	Dec 2025	PromptArmor

The common pattern: external content (web pages, documents, API responses) contains hidden instructions that the model processes as commands.

Current Limitations

PreToolUse hooks can block tool execution but cannot see the result—they run before the tool executes.

PostToolUse hooks run after the tool completes but:

1. Cannot modify the tool result (confirmed in Feature request: PostToolUse hooks that can modify tool output #4544, closed as duplicate)
2. By the time they execute, the content has already entered Claude's context
3. Any injection payload has already had opportunity to influence the model

The fundamental problem: There is no interception point where external content can be scanned, sanitized, or blocked before Claude processes it.

Attack Scenario

1. User asks Claude to fetch a URL or read a document
2. Tool (WebFetch, Read, MCP tool) retrieves content
3. Content contains hidden prompt injection:
   - White-on-white text in documents
   - Microscopic font sizes (1-2pt)
   - HTML comments or invisible Unicode
   - Contextually-plausible "instructions to AI assistants"
4. Content enters Claude's context window
5. Injection influences Claude's subsequent behavior
6. Potential outcomes: data exfiltration, unauthorized actions, session hijacking

No current hook can intervene between steps 2 and 4.

Proposed Solution

New Hook Type: ToolResultTransform

Add a hook that executes after a tool returns its result but before that result enters Claude's context window, with the ability to:

1. Inspect the raw tool result
2. Transform the content (sanitize, redact, annotate)
3. Block the result entirely with a reason
4. Pass through unmodified

Hook Specification

Trigger Point

Tool Invoked → Tool Executes → Tool Returns Result
                                        ↓
                              [ToolResultTransform Hook] ← NEW
                                        ↓
                              Result Enters Context Window
                                        ↓
                              Claude Processes Result

Configuration

{
  "hooks": {
    "ToolResultTransform": [
      {
        "matcher": "WebFetch|WebSearch|Read|mcp__*",
        "hooks": [
          {
            "type": "command",
            "command": "~/.claude/hooks/content-scanner.py",
            "timeout": 30
          }
        ]
      }
    ]
  }
}

Input (stdin JSON)

{
  "tool_name": "WebFetch",
  "tool_input": {
    "url": "https://example.com/document"
  },
  "tool_result": {
    "content": "... raw content returned by tool ...",
    "content_type": "text/html",
    "status_code": 200
  },
  "session_id": "abc123",
  "timestamp": "2026-01-16T12:00:00Z"
}

Output (stdout JSON)

Pass through (no modification):

{
  "action": "pass"
}

Transform content:

{
  "action": "transform",
  "transformed_content": "... sanitized content ...",
  "annotations": [
    {
      "type": "warning",
      "message": "Removed 3 potential injection patterns"
    }
  ]
}

Block entirely:

{
  "action": "block",
  "reason": "Content contains high-confidence prompt injection patterns",
  "details": {
    "patterns_detected": ["SYSTEM_OVERRIDE", "PRIORITY_INSTRUCTION"],
    "risk_score": 0.92
  }
}

Exit Codes

Code	Behavior
0	Process JSON output normally
1	Non-blocking error (log warning, pass content through)
2	Blocking error (block content, show stderr to user)

Alternative Solutions

1. External Proxy (e.g., claudemon)

Third-party tools like claudemon use mitmproxy to intercept network traffic. This works but:

• Requires complex setup (proxy configuration, CA certificates)
• Only works for network-based tools, not file reads or MCP tools
• Doesn't integrate with Claude Code's permission/logging systems

2. Disable Tools Entirely

Users can disable WebFetch, WebSearch, etc., but this eliminates legitimate functionality rather than adding defense-in-depth.

3. Rely on Model Guardrails

Current approach. Demonstrably insufficient—every major AI assistant has been exploited via prompt injection despite guardrails.

4. User-Side Pre-Processing

Users can manually fetch content, scan it externally, then paste it into Claude. This:

• Defeats the purpose of integrated tools
• Introduces friction that reduces adoption
• Doesn't scale for agentic workflows

Priority

High - Significant impact on productivity

Feature Category

Configuration and settings

Use Case Example

1. Prompt Injection Detection

#!/usr/bin/env python3
import json
import sys
import re

INJECTION_PATTERNS = [
    r'\[SYSTEM\s*(INSTRUCTION|OVERRIDE|PROMPT)\]',
    r'<\s*/?SYSTEM\s*>',
    r'IGNORE\s+(ALL\s+)?PREVIOUS\s+INSTRUCTIONS',
    r'YOU\s+ARE\s+NOW\s+IN\s+.+\s+MODE',
    r'BEGIN\s+NEW\s+CONVERSATION',
]

def scan_content(content):
    findings = []
    for pattern in INJECTION_PATTERNS:
        if re.search(pattern, content, re.IGNORECASE):
            findings.append(pattern)
    return findings

hook_input = json.load(sys.stdin)
content = hook_input.get("tool_result", {}).get("content", "")

findings = scan_content(content)

if findings:
    print(json.dumps({
        "action": "block",
        "reason": f"Detected {len(findings)} potential injection pattern(s)",
        "details": {"patterns": findings}
    }))
else:
    print(json.dumps({"action": "pass"}))

2. Document Sanitization (Hidden Text Detection)

#!/usr/bin/env python3
# Detect hidden text in Office documents (DOCX, XLSX, PPTX)
import json
import sys
import zipfile
import re
from io import BytesIO
import base64

def scan_docx(content_bytes):
    findings = []
    with zipfile.ZipFile(BytesIO(content_bytes)) as z:
        if 'word/document.xml' in z.namelist():
            doc_xml = z.read('word/document.xml').decode('utf-8')
            
            # Microscopic font (sz < 4 = 2pt)
            if re.search(r'<w:sz\s+w:val="[0-3]"', doc_xml):
                findings.append("microscopic_font")
            
            # White text
            if re.search(r'<w:color\s+w:val="FFFFFF"', doc_xml, re.I):
                findings.append("white_text")
            
            # Hidden text property
            if '<w:vanish/>' in doc_xml or '<w:vanish ' in doc_xml:
                findings.append("hidden_text_property")
    
    return findings

# ... process and return action

3. Content Redaction for Sensitive Environments

# Redact PII, credentials, or sensitive patterns before Claude sees them
REDACT_PATTERNS = {
    r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b': '[EMAIL_REDACTED]',
    r'\b\d{3}[-.]?\d{3}[-.]?\d{4}\b': '[PHONE_REDACTED]',
    r'sk-[a-zA-Z0-9]{48}': '[API_KEY_REDACTED]',
}

def redact_content(content):
    for pattern, replacement in REDACT_PATTERNS.items():
        content = re.sub(pattern, replacement, content)
    return content

4. Token Budget Management

# Truncate oversized responses to prevent context exhaustion
MAX_TOKENS = 50000  # Approximate

def estimate_tokens(text):
    return len(text) // 4  # Rough estimate

hook_input = json.load(sys.stdin)
content = hook_input["tool_result"]["content"]

if estimate_tokens(content) > MAX_TOKENS:
    truncated = content[:MAX_TOKENS * 4]
    print(json.dumps({
        "action": "transform",
        "transformed_content": truncated + "\n\n[Content truncated due to size]",
        "annotations": [{"type": "info", "message": "Content truncated to fit context"}]
    }))
else:
    print(json.dumps({"action": "pass"}))

Additional Context

Security Considerations

Hook Trust Model

The hook runs with the user's permissions and is configured by the user. This aligns with Claude Code's existing security model where users are responsible for hook scripts they configure.

Performance

• Hooks should have configurable timeouts (default: 30s)
• For high-frequency tools, users can exclude them from scanning via matcher patterns
• Async/parallel hook execution could be considered for multiple hooks

Failure Modes

Scenario	Recommended Behavior
Hook times out	Pass content through with warning
Hook crashes	Pass content through with warning
Invalid JSON output	Pass content through with warning
Hook returns malformed action	Pass content through with warning

Fail-open by default (with logging) to avoid breaking workflows, but allow users to configure fail-closed behavior for high-security environments:

{
  "hooks": {
    "ToolResultTransform": [{
      "matcher": "WebFetch",
      "failMode": "block",  // "pass" (default) or "block"
      "hooks": [...]
    }]
  }
}

Related Issues

• Feature request: PostToolUse hooks that can modify tool output #4544 - PostToolUse hooks that can modify tool output (closed as duplicate)
• Feature: Introduce Integrated Runtime Sandboxing for Tool Execution #4320 - Integrated Runtime Sandboxing for Tool Execution (sandboxing, not content scanning)
• Critical Security Bug: deny permissions in settings.json are not enforced** #6699 - Critical Security Bug: deny permissions not enforced (workaround via PreToolUse)
• Feature Request: Add Hook for Tool Execution Failures (OnToolError / ToolUseFailure) #4831 - Hook for Tool Execution Failures (OnToolError)

References

• Varonis Threat Labs: Reprompt Attack - Microsoft Copilot vulnerability
• Embrace The Red: Claude Data Exfiltration - Johann Rehberger's research
• PromptArmor Threat Intelligence - Multiple AI assistant vulnerabilities
• Simon Willison's "Lethal Trifecta" - Private data + untrusted content + external communication

Summary

Prompt injection via external content is not a theoretical risk—it's an actively exploited vulnerability class. The current hook architecture cannot address it because no hook can transform tool results before context ingestion.

Adding ToolResultTransform would:

1. Enable defense-in-depth against prompt injection
2. Allow content sanitization/redaction for compliance requirements
3. Support token budget management
4. Maintain Claude Code's user-controlled, scriptable security model

This is a relatively small architectural change (one new hook point) with significant security benefits.

[github-actions]

Found 3 possible duplicate issues:

1. [FEATURE] Add PreToolResponse hook to intercept tool outputs before model processing #9539
2. Feature Request: Allow PostToolUse hooks to modify tool output #18594
3. Feature request: PostToolUse hooks that can modify tool output #4544

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[evilfurryone]

Re: Duplicate detection
This issue addresses a fundamentally different concern than #9539 (closed as not planned).
#9539 was framed as a cost optimization feature—reducing token usage when MCP tools return large payloads like base64 images.
This issue is about security—specifically, defense against prompt injection attacks via external content. This is not theoretical:

Claude Cowork was exploited via this vector (January 2026, PromptArmor)
Microsoft Copilot's Reprompt vulnerability (January 2026, Varonis)
Slack AI, Notion AI, Google Antigravity—all exploited via content injection

---

Why this needs to be a hook, not built-in detection

The request isn't "Anthropic should build a prompt injection scanner." It's: give security teams an interception point and let us build the controls.

Different organizations have different threat models:

• Enterprise compliance teams need DLP/secret scanning (gitleaks, detect-secrets, org-specific patterns)
• Security teams need taint tracking (mark tool output as untrusted → restrict downstream tool access)
• Regulated industries need policy-as-code enforcement (OPA/Rego rules, audit logging)
• Researchers need the ability to study and iterate on detection heuristics

None of this is possible if every defense must be built into Claude Code itself. The hook creates the extension surface for an ecosystem of security tooling—the same way build pipelines have hook points for SonarQube, HTTP has interception points for WAFs, and operating systems expose syscall hooks for EDR.

This is infrastructure that enables a product category, not a single feature.

---

Minimum viable security contract

For the hook to be useful for serious security tooling, it should expose:

• Tool name + source metadata (URL, file path, connector ID)
• Content type / encoding
• Return options: ALLOW, TRANSFORM, BLOCK with reason
• Fail-closed option per tool class (especially web/doc/MCP)
• Ability to attach labels (tainted, contains-credentials, instruction-like) for downstream policy use

This turns the hook from "a regex opportunity" into an actual control plane.

---

Summary

Closing a token-saving convenience feature (#9539) was reasonable. This request is different: it's asking for the infrastructure that lets security professionals protect users without requiring every defense to be built and maintained by Anthropic.

The architectural gap exists. The exploits are documented. The question is whether users get tooling to defend themselves.

[extemporalgenome]

This issue addresses a fundamentally different concern than #9539 (closed as not planned).

I don't see anything in that issue that suggests it was intentionally categorized as "not planned" (e.g. rejected by a human with authority): it merely was auto-closed due to inactivity. Thus that other tickets' use-case(s), as well as any kind of auto-formatting/cleanup use-cases could lend weight to this ticket as well.

[julibeg]

+1 this would definitely be very useful for a variety of use cases (security-related and other)

[bountyyfi]

We built a benchmark that quantifies exactly why this hook is needed.

DRPT (Documentation Rendering Parity Test) uses 10 README variants with identical rendered content but different hidden elements (HTML comments, reference links, collapsed details blocks). Same prompt, same visible documentation, the only variable is what's invisible to the developer.

Claude Code (Opus 4.6) results:

• Phantom import rate: 100%
• Phantom endpoint rate: 62%
• Phantom init/config rate: 89%
• Overall injection rate: 70%

7 out of 10 variants injected attacker-controlled code into the output. v4 (distributed HTML comments) achieved complete injection: all 6 phantom markers appeared. Attacker imports, attacker URLs, attacker env vars, telemetry endpoints. All from content the developer never sees on GitHub.

We also published SMAC (Safe Markdown for AI Consumption), a preprocessing spec that eliminates this vector. One regex strips HTML comments before LLM ingestion and the entire attack class disappears.

If ToolResultTransform existed today, wiring SMAC as a content scanner would be one config entry:

{
  "hooks": {
    "ToolResultTransform": [{
      "matcher": "Read|WebFetch|mcp__*",
      "hooks": [{
        "type": "command",
        "command": "smac-sanitize"
      }]
    }]
  }
}

The benchmark, scanner, and SMAC spec are all open source: https://github.com/bountyyfi/invisible-prompt-injection

This isn't a model problem. It's a preprocessing gap. The hook is the infrastructure that lets the ecosystem build the fix.

[evilfurryone]

Amendment: ToolResultTransform as Defense in Depth

At the Anthropic sponsored Claude Code meetup in Tallinn (Feb 11), multiple enterprise teams confirmed that the lack of inspection before context ingestion is blocking their security teams from approving Claude Code. The specific blocker: there's no way to scrub PII, validate content, or enforce DLP policies on what the model actually sees.

This is especially urgent for MCP adoption. Enterprises can't run third-party MCP servers safely without the ability to sanitize tool outputs at the client layer — once a tool executes, the data enters the context window immediately, before any policy can intervene.

What I'm proposing for Phase 1

A ToolResultTransform hook that fires after a tool returns its result but before it enters the context window. Three actions: pass, transform, or block.

Acceptance criteria:

• Hook receives: tool_name, tool_input, tool_result, session_id, timestamp
• Hook returns: { action: "pass" | "transform" | "block", ... }
• Default: fail-open (with configurable fail-closed for regulated environments)
• Matcher pattern for selective application (e.g., WebFetch|Read|mcp__*)
• Latency: explicit timeout with graceful degradation

Why this matters now:

• Every major agent exploit in the past year (Superhuman, Claude Cowork, Copilot, Notion AI, Antigravity) shares the same root cause: no interception between external data and model context
• This is defense in depth — a deterministic layer in front of the model's own safety training. Two independent layers failing is exponentially less likely than one
• It positions naturally toward UserInputTransform and SystemContextTransform as future phases

I'm happy to contribute a spec draft and test corpus to reduce implementation overhead. Full analysis with detailed design considerations available on request.

[evilfurryone]

@noahzweben Thank you for your Q&A session last night in Claude Code Tallinn meetup. This is the interception hook concept that you were interested in reviewing.

[evilfurryone]

@bcherny would love to hear your thoughts on this. The architectural gap is real, deterministic content scanning before context ingestion would complement model guardrails nicely. From a DevSecOps perspective, this kind of hook is what stands between current state and serious enterprise adoption.

[bountyyfi]

Supporting data from a different angle: CSS-based injection against AI browser agents.
The DRPT results above prove the problem for documentation/markdown. We found the same class of vulnerability in a completely different input channel.
GhostCSS (https://github.com/bountyyfi/Ghostcss) demonstrates that CSS alone is enough to inject attacker-controlled instructions into AI browser agents. No JavaScript. No exotic encoding. Just standard CSS features that every sanitizer trusts.
The core insight is identical to what DRPT measures: what the AI reads is not what the human sees.
With markdown, the gap is rendered vs. raw. With CSS, the gap is visual presentation vs. DOM content. Screen-reader-only patterns, ::before/::after generated content, CSS custom properties, animation-cycled payloads. All invisible to the human. All readable by the agent.
Seven attack techniques. Three demo environments. The composite variant (Attack 07) survives manual source review.
This reinforces why ToolResultTransform needs to exist as a first-class hook. The preprocessing problem isn’t limited to one content type. Markdown has hidden comments. CSS has hidden layers. HTML has collapsed details. Every channel that an AI agent ingests has a rendering parity gap.
SMAC solves the markdown variant with one regex. A ToolResultTransform hook would let teams wire up equivalent sanitizers for every input channel without waiting for upstream fixes.
Different attack surface. Same structural gap. Same fix needed.

[evilfurryone]

Worth considering the second-order vector here: compromised AI agents that generate (web) content are also seeding injection payloads for other AI agents to ingest downstream. Same structural pattern as malicious NPM packages adding payloads during build... except the supply chain is now the entire web.