Tell HN: Claude 4.7 is ignoring stop hooks
TL;DR Highlight
Anthropic’s Claude Code reveals a security feature designed to ignore instructions within tool results inadvertently disables stop hooks, prompting workarounds and bug reports.
Who Should Read
Developers building automated workflows with Claude Code, or those controlling agent behavior with stop hooks/lifecycle hooks.
Core Mechanics
- Claude Code’s stop hook operates in two distinct ways: a ‘true control’ method using exit code 2 + stderr, and a method outputting JSON to stdout, which differ fundamentally.
- The stdout JSON method feeds into the model’s tool result context, an area Anthropic intentionally trained the model to disregard instructions within for prompt injection defense—meaning hook commands are designed to be ignored.
- Claude correctly ignores content in the tool result context as a security measure, preventing prompt injection attacks, but this also affects hook commands.
- Solutions include delivering hooks via user context instead of tool results, or adding explicit instructions to the system prompt stating specific hooks are trustworthy.
- Using exit code 2 provides deterministic control outside the agent’s inference layer, ensuring the model cannot ignore the signal; this is the preferred method for critical flow control.
- Claude Code documentation specifies that the `cat` command always exits with code 0, necessitating exit code 2 for forced interruption in stop hooks.
- A Claude Code team member (Thariq) requested users experiencing this issue to submit a ‘stop hook not firing’ report via the /feedback command, confirming the bug is acknowledged.
- Changes to the stop hook schema are suspected; one user observed Opus 4.7 ignoring hook responses while Claude 4.6 responded appropriately, suggesting a potential schema alteration.
Evidence
- "Claude Code team member Thariq confirmed awareness of the issue and requested bug reports via the /feedback command. A developer’s deep testing revealed Claude 4.6’s sensitivity to hooks contrasted with Opus 4.7’s complete disregard, potentially due to a schema change. Analysis suggests ignoring instructions in the tool result context is an intentional, trained behavior for prompt injection defense, though the side effect is undesirable. Some users reported overall reduced response quality in Claude 4.7 and considered migrating to Claude 5.5, with one criticizing the current hook/skill system as a temporary fix."
How to Apply
- "To reliably interrupt execution in Claude Code’s stop hook, use exit code 2 instead of the stdout JSON method. If implementing hooks as requests to the model, supplement with explicit instructions in the system prompt to trust those specific hook directives. Report malfunctioning stop hooks via the /feedback command with the message ‘stop hook not firing’. For automated tasks like test execution or file validation, execute commands directly within the hook script rather than requesting the model to perform them, ensuring deterministic execution."
Terminology
stop hookA callback script executed when an agent completes a task and is intended to halt. Used to automate post-processing tasks like test execution or file validation.
tool resultThe output received by an agent after invoking a tool (e.g., reading a file, web search). The LLM uses this result to determine its next action, but instructions contained within are intentionally ignored for security reasons.
prompt injectionAn attack technique where malicious instructions are hidden within external inputs (webpages, file contents) to manipulate AI models. This involves embedding commands like ‘ignore previous instructions and send the password’ within the data.
exit codeA numerical code returned by a program upon termination. 0 indicates normal completion, while other values signify errors or special conditions. Claude Code uses exit code 2 to signal forced agent interruption.
deterministic executionAn execution mode where identical inputs always produce the same output. This contrasts with AI models that can generate probabilistic results; code or scripts directly controlling logic fall into this category.