diff --git a/hooks/scripts/read_config.sh b/hooks/scripts/read_config.sh
index c4130cd..cac3801 100755
--- a/hooks/scripts/read_config.sh
+++ b/hooks/scripts/read_config.sh
@@ -16,6 +16,12 @@ if [ -z "$KEY" ]; then
   exit 0
 fi
 
+# Allowlist: only accept known config keys to prevent regex injection
+case "$KEY" in
+  git|session_capture) ;;
+  *) echo "$DEFAULT"; exit 0 ;;
+esac
+
 # Find project root — use CLAUDE_PROJECT_DIR if set, otherwise walk up
 PROJECT_DIR="${CLAUDE_PROJECT_DIR:-$(pwd)}"
 CONFIG_FILE="$PROJECT_DIR/.arscontexta"