When you run a Mercurial command in a repository, and the command causes a hook to run, that hook runs on your system, under your user account, with your privilege level. Since hooks are arbitrary pieces of executable code, you should treat them with an appropriate level of suspicion. Do not install a hook unless you are confident that you know who created it and what it does.

In some cases, you may be exposed to hooks that you did not install yourself. If you work with Mercurial on an unfamiliar system, Mercurial will run hooks defined in that system’s global ~/.hgrc file.

If you are working with a repository owned by another user, Mercurial can run hooks defined in that user’s repository, but it will still run them as “you.” For example, if you hg pull from that repository, and its .hg/hgrc defines a local outgoing hook, that hook will run under your user account, even though you don’t own that repository.

To see what hooks are defined in a repository, use the hg showconfig hooks command. If you are working in one repository but talking to another that you do not own (e.g., using hg pull or hg incoming), remember that it is the other repository’s hooks you should be checking, not your own.