Notification Hooks

Plugin Active

Notification Hooks - Event-driven automation hooks

Purpose

To enable automated event-driven notifications within Claude Code, informing users about important events, errors, or task completions.

User installs the plugin.
User configures required environment variables for desired notification services.
Claude Code triggers an event (e.g., tool execution, error, session stop).
The relevant hook script executes.
The hook sends a notification to the configured service.

Claude Code environment
Configured environment variables for notification services (e.g., TELEGRAM_BOT_TOKEN, DISCORD_WEBHOOK_URL)

info:Unique selling propositionThe plugin provides a set of pre-configured hooks for common notification services, offering convenience over direct API implementation but is a thin wrapper around these services.

warning:Configuration & parameter referenceWhile some environment variables are listed for notification services, the documentation does not explicitly state default values or precedence order for configurations.

warning:Secret ManagementSecrets like API tokens and webhook URLs are expected to be provided via environment variables, but the plugin's documentation does not explicitly mention how these secrets are handled or if they are stored securely (e.g., in userConfig with `sensitive: true`).
warning:Data ExfiltrationSome hooks require credentials (API tokens, webhook URLs) to be sent to third-party services (Slack, Telegram, Discord), and the documentation does not specify if these are handled securely or if there's an opt-out mechanism.
warning:Hook securityWhile the hooks are primarily for notifications, the broad wildcard matchers ('*') could potentially lead to unexpected executions if not carefully managed, and secrets are handled via environment variables without explicit guidance on secure storage.
warning:Keychain-stored secretsThe plugin uses environment variables for secrets like API keys and webhook URLs, but it does not explicitly route these through `userConfig` with `sensitive: true`, which is the recommended way to handle secrets for keychain storage.

warning:ValidationThe hook scripts use environment variables for configuration but do not demonstrate explicit schema validation for these parameters, potentially leading to unexpected behavior if variables are malformed or missing.
warning:Error HandlingThe bash scripts for hooks do not show explicit error handling for API calls or environment variable lookups, meaning errors might be opaque or unhandled.
info:LoggingThe hooks do not appear to implement local audit logging for their actions; notifications are sent externally.

warning:GDPRThe hooks send notification data to third-party services (Slack, Discord, Telegram) which may involve personal data if such data is included in the tool's output or context. Sanitization of this data before sending is not explicitly documented.
warning:Hook privacyHooks send data to external notification services. While this is the intended functionality, the documentation could be clearer about what data is sent and how it is protected, especially concerning credentials.

warning:Actionable error messagesThe error handling in the bash scripts is minimal; errors from external API calls or missing environment variables may not be user-friendly or provide clear remediation steps.

warning:Hook matcher tightnessSeveral hooks use a wildcard matcher ('*') for their event type or tool, which is too broad and could lead to unintended hook executions.