@xiaolaichecks…fix/nlpm-security-debug-log-path → master1 files · +8 −4updated 1mo agoAutomated audit: This PR was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the diff on its merits.
security-guidance/hooks/security_reminder_hook.py writes a debug log unconditionally to /tmp/security-warnings-log.txt:
DEBUG_LOG_FILE = "/tmp/security-warnings-log.txt"
/tmp is world-writable on Linux/macOS. Any local user on the same machine can read this file. Since the log records which files are being edited and which security patterns triggered, it leaks session-scoped information — including file paths of files being written by Claude — to other local users.
The hook already uses ~/.claude/ for its session state files (e.g. security_warnings_state_{session_id}.json), making that the natural and already-trusted location.
Two changes:
Relocate the log file from /tmp/security-warnings-log.txt to ~/.claude/security-warnings-log.txt, which is user-private and already used for hook state.
Gate writes behind SECURITY_REMINDER_DEBUG=1 so no log file is created by default. The log existed only for debugging; there's no reason to write it on every hook invocation in production.
# Before
DEBUG_LOG_FILE = "/tmp/security-warnings-log.txt"
# After
_debug_log_enabled = os.environ.get("SECURITY_REMINDER_DEBUG", "0") == "1"
DEBUG_LOG_FILE = os.path.expanduser("~/.claude/security-warnings-log.txt")
Users who want debug logging can opt in with SECURITY_REMINDER_DEBUG=1 in their environment.
This is a minimal, backwards-compatible change. The hook's security warning behavior is unchanged. Debug logging is disabled by default (which was effectively true for any deployment that didn't know the undocumented /tmp path existed).