What does command-guard block by default?

It blocks irreversible deletions (e.g., rm -rf on non-temporary paths, git clean -f), force pushes (git push --force/-f), hard resets and rebases on pushed branches, destructive database ops (DROP, TRUNCATE), and credential exposure to stdout.

Do I need external tools to use this?

No. It uses Claude Code's built-in hook system and a self-contained Python script.

How can I customize the rules for my project?

Edit the BLOCKED patterns in command-guard.py to match your project’s commands, add new rules, and add comments to explain why each rule exists.

command-guard

npx machina-cli add skill SageMindAI/instar/command-guard --openclaw

Files (1)

SKILL.md

8.0 KB

command-guard — Block Dangerous Commands Before They Execute

Claude Code runs shell commands, edits files, and manages infrastructure with real consequences. Without guardrails, a misunderstood instruction or a hallucinated flag can delete data, corrupt history, or expose credentials. This skill installs a PreToolUse hook that blocks the most dangerous operations before they run.

No external tools required — this uses Claude Code's built-in hook system.

What Gets Blocked

The guard intercepts Bash tool calls and checks the command against a blocklist before execution. By default it blocks:

Irreversible deletions

rm -rf on non-temporary paths
git clean -f (untracked file deletion)

Git history destruction

git push --force / git push -f (without explicit user confirmation)
git reset --hard on shared branches
git rebase on pushed branches

Database operations

DROP TABLE, DROP DATABASE, TRUNCATE in SQL
db:reset, db:drop npm/prisma scripts

Credential exposure

Commands that cat, echo, or curl files containing SECRET, KEY, TOKEN, PASSWORD to stdout

Installation

Step 1: Create the hook script

mkdir -p .claude/hooks

Create .claude/hooks/command-guard.py:

#!/usr/bin/env python3
"""
command-guard.py — PreToolUse hook that blocks dangerous Bash commands.
Claude Code calls this before executing any Bash tool call.
Exit code 2 = block the command and show the message.
Exit code 0 = allow the command.
"""
import sys
import json
import re
import os

# Load the tool call input from stdin
try:
    payload = json.load(sys.stdin)
except Exception:
    sys.exit(0)  # Can't parse — allow (fail open)

tool_name = payload.get('tool_name', '')
tool_input = payload.get('tool_input', {})

# Only intercept Bash calls
if tool_name != 'Bash':
    sys.exit(0)

command = tool_input.get('command', '')

# --- Blocklist rules ---
# Each rule: (regex pattern, reason shown to agent)

BLOCKED = [
    # Irreversible deletions
    (r'\brm\s+-[a-zA-Z]*r[a-zA-Z]*f\b', 'rm -rf is blocked. Use rm with explicit paths, or move to trash instead.'),
    (r'\bgit\s+clean\s+-[a-zA-Z]*f\b', 'git clean -f is blocked. List untracked files with --dry-run first.'),

    # Force push
    (r'\bgit\s+push\s+.*--force\b', 'Force push is blocked. Confirm with the user before rewriting remote history.'),
    (r'\bgit\s+push\s+.*-f\b(?!ile)', 'Force push (-f) is blocked. Confirm with the user before rewriting remote history.'),

    # Hard reset
    (r'\bgit\s+reset\s+--hard\b', 'git reset --hard is blocked. Use --soft or --mixed, or confirm with user first.'),

    # Database destructive ops
    (r'\b(DROP\s+(TABLE|DATABASE|SCHEMA)|TRUNCATE\s+TABLE)\b', 'Destructive SQL (DROP/TRUNCATE) is blocked. Confirm with the user before destroying data.', re.IGNORECASE),
    (r'\b(db:reset|db:drop|prisma.*reset)\b', 'Database reset scripts are blocked. Confirm with the user — this destroys all data.'),

    # Credential leakage to stdout (basic check)
    (r'\b(cat|echo|curl|printf)\b.*\.(env|secret|secrets|pem|key)\b', 'Printing credential files to stdout is blocked. Use secure variable injection instead.'),
]

for rule in BLOCKED:
    pattern = rule[0]
    message = rule[1]
    flags = rule[2] if len(rule) > 2 else 0
    if re.search(pattern, command, flags):
        print(json.dumps({
            "decision": "block",
            "reason": f"[command-guard] {message}\n\nBlocked command: {command[:200]}"
        }))
        sys.exit(2)

# All clear
sys.exit(0)

Make it executable:

chmod +x .claude/hooks/command-guard.py

Step 2: Register the hook in .claude/settings.json

If .claude/settings.json doesn't exist, create it. If it does, add to the hooks array:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "python3 .claude/hooks/command-guard.py"
          }
        ]
      }
    ]
  }
}

Step 3: Verify the hook is registered

Restart Claude Code, then ask it to run a blocked command:

Run: rm -rf ./test-dir

The agent should receive a block message rather than executing the command.

Customizing the Blocklist

Edit the BLOCKED list in command-guard.py to add project-specific rules.

Example: Block deploys to production from feature branches

(r'\bdeploy.*production\b', 'Direct production deploys are blocked. Merge to main first, then deploy via CI.'),

Example: Block overwriting specific config files

(r'\bcp\b.*\b(\.env\.production|secrets\.json)\b', 'Overwriting production config files is blocked. Edit manually.'),

Example: Allow force push only to personal branches

Replace the force push rule with a more nuanced check:

# Allow force push to personal/feature branches, block on main/master/staging
if re.search(r'\bgit\s+push\s+.*(-f|--force)\b', command):
    if not re.search(r'\b(main|master|staging|production)\b', command):
        sys.exit(0)  # Allow: not targeting a protected branch
    print(json.dumps({"decision": "block", "reason": "Force push to protected branches is blocked."}))
    sys.exit(2)

Understanding the Hook Pattern

Claude Code hooks are scripts that fire at specific points in the agent's tool lifecycle:

Hook Type	When It Fires	Use Cases
`PreToolUse`	Before any tool call	Block dangerous operations, inject context
`PostToolUse`	After any tool call	Log actions, update state, send notifications
`Notification`	On system events (compaction, etc.)	Recovery, awareness updates

The hook receives a JSON payload on stdin and communicates back via stdout + exit code:

Exit 0: Allow the tool call to proceed
Exit 2: Block the tool call; the reason in stdout is shown to the agent

Hooks are composable. You can chain multiple hooks for the same event, and each runs independently.

What This Does Not Cover

This guard blocks the most common dangerous operations. It does not:

Inspect file contents before writes (use a Write tool hook for that)
Validate SQL in ORM calls (only raw SQL strings)
Prevent API calls that delete remote resources

For production systems where the agent has access to critical infrastructure, layer additional guards specific to your environment.

Going Further

This guard works when you're watching. But what about when you're not? If your agent runs a scheduled job at 2 AM and hits a destructive edge case, a command-guard hook still blocks it — but nobody sees the block message until morning. And command blocking is just one layer of safety.

Instar adds the safety infrastructure that autonomous agents need. Identity grounding hooks fire before the agent sends any external message — so it can't accidentally email or post something off-character. Every tool call across every session gets audit-logged for post-hoc review. And the command guard is installed automatically as part of setup, along with all the other hooks.

Safety is important, but it's just the foundation. With Instar, your agent also gets:

A job scheduler — recurring tasks on cron, running while you sleep
Background sessions — spawn parallel workers for deep tasks
Telegram integration — two-way messaging from your phone
Persistent identity and memory — context that survives across sessions

One command, about 2 minutes:

npx instar

Your agent goes from guarded-when-you're-watching to safe-when-you're-not. instar.sh

Source

git clone https://github.com/SageMindAI/instar/blob/main/skills/command-guard/SKILL.mdView on GitHub

Overview

command-guard installs a PreToolUse hook in .claude/settings.json to intercept dangerous Bash operations before they run. It blocks actions like rm -rf, git push --force, and destructive DB commands to prevent data loss or security exposure. This pattern teaches safety hooks for Claude Code projects and responds to trigger words like safety, guard, block dangerous, and protect.

How This Skill Works

Claude Code sends every Bash tool call to the PreToolUse hook before execution. The hook checks the command against a blocklist and blocks it with a helpful reason, exiting with code 2 to prevent execution. The default rules cover irreversible deletions, history destruction, destructive database ops, and credential leakage to stdout.

When to Use It

In a shared project to prevent accidental data loss from user-provided commands.
In CI/CD pipelines where destructive ops could affect production data.
During onboarding to teach juniors safe command practices and prevent risky operations.
When handling credentials or secrets in command output to avoid leakage to stdout.
When enforcing a safety-first workflow for Claude Code projects.

Quick Start

Step 1: Create the hook script directory: mkdir -p .claude/hooks
Step 2: Add command-guard.py with the provided PreToolUse logic (blocks dangerous Bash commands)
Step 3: Enable the hook by configuring .claude/settings.json to reference the command-guard.py PreToolUse hook

Best Practices

Start with high-risk categories (deletions, forced history rewrites) and expand gradually.
Test the hook in a sandbox or non-production environment before applying to critical repos.
Include explicit user confirmations for especially sensitive operations where appropriate.
Document the hook behavior in your repository's CONTRIBUTING or README.
Keep the blocklist modular and comment clearly for future customization.

Example Use Cases

git push --force
rm -rf /path/to/project
DROP TABLE users
db:reset
cat secrets.env | head

Frequently Asked Questions

Add this skill to your agents