SKILL.md
$27
This allows:
- Unformatted code to enter the repository
- Linting errors to bypass checks
- Security scanning to be skipped
- Unsigned commits to bypass signing policies
- Test suites to be circumvented
Solution
Add a PreToolUse hook to .claude/settings.json that inspects every Bash tool call and blocks commands containing bypass flags.
Configuration
Add the following to your project's .claude/settings.json:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hook": {
"type": "command",
"command": "if printf '%s' \"$TOOL_INPUT\" | grep -qE '(^|&&|;|\\|)\\s*git\\s+.*--(no-verify|no-gpg-sign)'; then echo 'BLOCKED: --no-verify and --no-gpg-sign flags are not allowed. Run the commit without bypass flags so that pre-commit hooks execute properly.' >&2; exit 2; fi"
}
}
]
}
}How It Works
- Matcher: The hook targets only
Bashtool calls, so it does not interfere with other tools (Read, Edit, Grep, etc.).
- Inspection: The
$TOOL_INPUTenvironment variable contains the full command the agent is about to execute. The hook usesprintfto safely pass input (avoidingechopitfalls with special characters) and checks for--no-verifyor--no-gpg-signflags only when preceded by agitcommand.
- Blocking: If a bypass flag is found in a git command, the hook exits with code 2 and prints an error message. Exit code 2 signals Claude Code to reject the tool call entirely.
- Pass-through: If no bypass flag is found, the hook exits with code 0 and the command executes normally.
Exit Codes
Code
Meaning
0
Allow the tool call to proceed
1
Error (tool call still proceeds, warning shown)
2
Block the tool call entirely
Blocked Flags
Flag
Purpose
Why Blocked
--no-verify
Skips pre-commit and commit-msg hooks
Bypasses linting, formatting, testing, security checks
--no-gpg-sign
Skips GPG commit signing
Bypasses commit signing policy
Installation
Per-Project Setup
Create or update .claude/settings.json in your project root:
mkdir -p .claude
cat > .claude/settings.json << 'EOF'
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hook": {
"type": "command",
"command": "if printf '%s' \"$TOOL_INPUT\" | grep -qE '(^|&&|;|\\|)\\s*git\\s+.*--(no-verify|no-gpg-sign)'; then echo 'BLOCKED: --no-verify and --no-gpg-sign flags are not allowed. Run the commit without bypass flags so that pre-commit hooks execute properly.' >&2; exit 2; fi"
}
}
]
}
}
EOFGlobal Setup
To enforce across all projects, add to ~/.claude/settings.json:
mkdir -p ~/.claude
cat > ~/.claude/settings.json << 'EOF'
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hook": {
"type": "command",
"command": "if printf '%s' \"$TOOL_INPUT\" | grep -qE '(^|&&|;|\\|)\\s*git\\s+.*--(no-verify|no-gpg-sign)'; then echo 'BLOCKED: --no-verify and --no-gpg-sign flags are not allowed. Run the commit without bypass flags so that pre-commit hooks execute properly.' >&2; exit 2; fi"
}
}
]
}
}
EOFVerification
Test that the hook blocks bypass flags:
# This should be blocked by the hook:
git commit --no-verify -m "test"
# This should succeed normally:
git commit -m "test"Extending the Hook
Adding More Blocked Flags
To block additional flags (e.g., --force), extend the grep pattern:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hook": {
"type": "command",
"command": "if printf '%s' \"$TOOL_INPUT\" | grep -qE '(^|&&|;|\\|)\\s*git\\s+.*--(no-verify|no-gpg-sign|force-with-lease|force)'; then echo 'BLOCKED: Bypass flags are not allowed.' >&2; exit 2; fi"
}
}
]
}
}Combining with Other Hooks
The block-no-verify hook works alongside other PreToolUse hooks:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hook": {
"type": "command",
"command": "if printf '%s' \"$TOOL_INPUT\" | grep -qE '(^|&&|;|\\|)\\s*git\\s+.*--(no-verify|no-gpg-sign)'; then echo 'BLOCKED: Bypass flags not allowed.' >&2; exit 2; fi"
}
},
{
"matcher": "Bash",
"hook": {
"type": "command",
"command": "if printf '%s' \"$TOOL_INPUT\" | grep -qE 'rm\\s+-rf\\s+/'; then echo 'BLOCKED: Dangerous rm command.' >&2; exit 2; fi"
}
}
]
}
}Best Practices
- Commit the settings file -- Add
.claude/settings.jsonto version control so all team members benefit from the hook.
- Document in onboarding -- Mention the hook in your project's contributing guide so developers understand why bypass flags are blocked.
- Pair with pre-commit hooks -- The block-no-verify hook ensures pre-commit hooks run; make sure you have meaningful pre-commit hooks configured.
- Test after setup -- Verify the hook works by intentionally triggering it in a test commit.