{"id":"57b61058-073d-4205-ae1d-d67f0308cd2a","shortId":"AdPnJ4","kind":"skill","title":"command-guard","tagline":"Set up a PreToolUse hook in .claude/settings.json that blocks dangerous commands — rm -rf, force push, database drops, and others — before they execute. Teaches the pattern of safety hooks for any Claude Code project. Trigger words: safety, guard, block dangerous, protect, preven","description":"# command-guard — Block Dangerous Commands Before They Execute\n\nClaude Code runs shell commands, edits files, and manages infrastructure with real consequences. Without guardrails, a misunderstood instruction or a hallucinated flag can delete data, corrupt history, or expose credentials. This skill installs a PreToolUse hook that blocks the most dangerous operations before they run.\n\nNo external tools required — this uses Claude Code's built-in hook system.\n\n---\n\n## What Gets Blocked\n\nThe guard intercepts `Bash` tool calls and checks the command against a blocklist before execution. By default it blocks:\n\n**Irreversible deletions**\n- `rm -rf` on non-temporary paths\n- `git clean -f` (untracked file deletion)\n\n**Git history destruction**\n- `git push --force` / `git push -f` (without explicit user confirmation)\n- `git reset --hard` on shared branches\n- `git rebase` on pushed branches\n\n**Database operations**\n- `DROP TABLE`, `DROP DATABASE`, `TRUNCATE` in SQL\n- `db:reset`, `db:drop` npm/prisma scripts\n\n**Credential exposure**\n- Commands that `cat`, `echo`, or `curl` files containing `SECRET`, `KEY`, `TOKEN`, `PASSWORD` to stdout\n\n---\n\n## Installation\n\n### Step 1: Create the hook script\n\n```bash\nmkdir -p .claude/hooks\n```\n\nCreate `.claude/hooks/command-guard.py`:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\ncommand-guard.py — PreToolUse hook that blocks dangerous Bash commands.\nClaude Code calls this before executing any Bash tool call.\nExit code 2 = block the command and show the message.\nExit code 0 = allow the command.\n\"\"\"\nimport sys\nimport json\nimport re\nimport os\n\n# Load the tool call input from stdin\ntry:\n    payload = json.load(sys.stdin)\nexcept Exception:\n    sys.exit(0)  # Can't parse — allow (fail open)\n\ntool_name = payload.get('tool_name', '')\ntool_input = payload.get('tool_input', {})\n\n# Only intercept Bash calls\nif tool_name != 'Bash':\n    sys.exit(0)\n\ncommand = tool_input.get('command', '')\n\n# --- Blocklist rules ---\n# Each rule: (regex pattern, reason shown to agent)\n\nBLOCKED = [\n    # Irreversible deletions\n    (r'\\brm\\s+-[a-zA-Z]*r[a-zA-Z]*f\\b', 'rm -rf is blocked. Use rm with explicit paths, or move to trash instead.'),\n    (r'\\bgit\\s+clean\\s+-[a-zA-Z]*f\\b', 'git clean -f is blocked. List untracked files with --dry-run first.'),\n\n    # Force push\n    (r'\\bgit\\s+push\\s+.*--force\\b', 'Force push is blocked. Confirm with the user before rewriting remote history.'),\n    (r'\\bgit\\s+push\\s+.*-f\\b(?!ile)', 'Force push (-f) is blocked. Confirm with the user before rewriting remote history.'),\n\n    # Hard reset\n    (r'\\bgit\\s+reset\\s+--hard\\b', 'git reset --hard is blocked. Use --soft or --mixed, or confirm with user first.'),\n\n    # Database destructive ops\n    (r'\\b(DROP\\s+(TABLE|DATABASE|SCHEMA)|TRUNCATE\\s+TABLE)\\b', 'Destructive SQL (DROP/TRUNCATE) is blocked. Confirm with the user before destroying data.', re.IGNORECASE),\n    (r'\\b(db:reset|db:drop|prisma.*reset)\\b', 'Database reset scripts are blocked. Confirm with the user — this destroys all data.'),\n\n    # Credential leakage to stdout (basic check)\n    (r'\\b(cat|echo|curl|printf)\\b.*\\.(env|secret|secrets|pem|key)\\b', 'Printing credential files to stdout is blocked. Use secure variable injection instead.'),\n]\n\nfor rule in BLOCKED:\n    pattern = rule[0]\n    message = rule[1]\n    flags = rule[2] if len(rule) > 2 else 0\n    if re.search(pattern, command, flags):\n        print(json.dumps({\n            \"decision\": \"block\",\n            \"reason\": f\"[command-guard] {message}\\n\\nBlocked command: {command[:200]}\"\n        }))\n        sys.exit(2)\n\n# All clear\nsys.exit(0)\n```\n\nMake it executable:\n\n```bash\nchmod +x .claude/hooks/command-guard.py\n```\n\n---\n\n### Step 2: Register the hook in .claude/settings.json\n\nIf `.claude/settings.json` doesn't exist, create it. If it does, add to the `hooks` array:\n\n```json\n{\n  \"hooks\": {\n    \"PreToolUse\": [\n      {\n        \"matcher\": \"Bash\",\n        \"hooks\": [\n          {\n            \"type\": \"command\",\n            \"command\": \"python3 .claude/hooks/command-guard.py\"\n          }\n        ]\n      }\n    ]\n  }\n}\n```\n\n---\n\n### Step 3: Verify the hook is registered\n\nRestart Claude Code, then ask it to run a blocked command:\n\n```\nRun: rm -rf ./test-dir\n```\n\nThe agent should receive a block message rather than executing the command.\n\n---\n\n## Customizing the Blocklist\n\nEdit the `BLOCKED` list in `command-guard.py` to add project-specific rules.\n\n**Example: Block deploys to production from feature branches**\n\n```python\n(r'\\bdeploy.*production\\b', 'Direct production deploys are blocked. Merge to main first, then deploy via CI.'),\n```\n\n**Example: Block overwriting specific config files**\n\n```python\n(r'\\bcp\\b.*\\b(\\.env\\.production|secrets\\.json)\\b', 'Overwriting production config files is blocked. Edit manually.'),\n```\n\n**Example: Allow force push only to personal branches**\n\nReplace the force push rule with a more nuanced check:\n\n```python\n# Allow force push to personal/feature branches, block on main/master/staging\nif re.search(r'\\bgit\\s+push\\s+.*(-f|--force)\\b', command):\n    if not re.search(r'\\b(main|master|staging|production)\\b', command):\n        sys.exit(0)  # Allow: not targeting a protected branch\n    print(json.dumps({\"decision\": \"block\", \"reason\": \"Force push to protected branches is blocked.\"}))\n    sys.exit(2)\n```\n\n---\n\n## Understanding the Hook Pattern\n\nClaude Code hooks are scripts that fire at specific points in the agent's tool lifecycle:\n\n| Hook Type | When It Fires | Use Cases |\n|-----------|--------------|-----------|\n| `PreToolUse` | Before any tool call | Block dangerous operations, inject context |\n| `PostToolUse` | After any tool call | Log actions, update state, send notifications |\n| `Notification` | On system events (compaction, etc.) | Recovery, awareness updates |\n\nThe hook receives a JSON payload on stdin and communicates back via stdout + exit code:\n- **Exit 0**: Allow the tool call to proceed\n- **Exit 2**: Block the tool call; the `reason` in stdout is shown to the agent\n\nHooks are composable. You can chain multiple hooks for the same event, and each runs independently.\n\n---\n\n## What This Does Not Cover\n\nThis guard blocks the most common dangerous operations. It does not:\n- Inspect file contents before writes (use a `Write` tool hook for that)\n- Validate SQL in ORM calls (only raw SQL strings)\n- Prevent API calls that delete remote resources\n\nFor production systems where the agent has access to critical infrastructure, layer additional guards specific to your environment.\n\n---\n\n## Going Further\n\nThis guard works when you're watching. But what about when you're not? If your agent runs a scheduled job at 2 AM and hits a destructive edge case, a command-guard hook still blocks it — but nobody sees the block message until morning. And command blocking is just one layer of safety.\n\n**Instar adds the safety infrastructure that autonomous agents need.** Identity grounding hooks fire before the agent sends any external message — so it can't accidentally email or post something off-character. Every tool call across every session gets audit-logged for post-hoc review. And the command guard is installed automatically as part of setup, along with all the other hooks.\n\nSafety is important, but it's just the foundation. With Instar, your agent also gets:\n- **A job scheduler** — recurring tasks on cron, running while you sleep\n- **Background sessions** — spawn parallel workers for deep tasks\n- **Telegram integration** — two-way messaging from your phone\n- **Persistent identity and memory** — context that survives across sessions\n\nOne command, about 2 minutes:\n\n```bash\nnpx instar\n```\n\nYour agent goes from guarded-when-you're-watching to safe-when-you're-not. [instar.sh](https://instar.sh)","tags":["command","guard","instar","jkheadley","agent-framework","agent-identity","agent-infrastructure","agent-memory","agent-skills","ai-agents","ai-safety","autonomous-agents"],"capabilities":["skill","source-jkheadley","skill-command-guard","topic-agent-framework","topic-agent-identity","topic-agent-infrastructure","topic-agent-memory","topic-agent-skills","topic-ai-agents","topic-ai-safety","topic-autonomous-agents","topic-claude-code","topic-cli","topic-cron","topic-job-scheduler"],"categories":["instar"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/JKHeadley/instar/command-guard","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add JKHeadley/instar","source_repo":"https://github.com/JKHeadley/instar","install_from":"skills.sh"}},"qualityScore":"0.479","qualityRationale":"deterministic score 0.48 from registry signals: · indexed on github topic:agent-skills · 59 github stars · SKILL.md body (7,713 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-02T06:55:53.027Z","embedding":null,"createdAt":"2026-04-18T22:14:32.147Z","updatedAt":"2026-05-02T06:55:53.027Z","lastSeenAt":"2026-05-02T06:55:53.027Z","tsv":"'/test-dir':623 '/usr/bin/env':219 '0':251,277,303,523,535,561,752,846 '1':207,526 '2':241,529,533,557,570,772,854,970,1122 '200':555 '3':603 'a-za-z':323,328,353 'access':935 'accident':1027 'across':1038,1117 'action':816 'add':586,646,1004 'addit':940 'agent':316,625,789,867,933,964,1010,1018,1079,1128 'allow':252,281,702,720,753,847 'along':1061 'also':1080 'api':922 'array':590 'ask':613 'audit':1043 'audit-log':1042 'automat':1056 'autonom':1009 'awar':828 'b':333,358,380,399,422,441,450,465,472,493,498,504,663,686,687,692,738,744,749 'back':840 'background':1093 'bash':119,212,227,236,296,301,565,595,1124 'basic':490 'bcp':685 'bdeploy':661 'bgit':349,375,394,417,732 'block':12,41,48,91,115,134,225,242,317,337,363,384,405,427,455,477,511,520,544,618,629,641,652,668,678,698,726,762,770,805,855,891,984,990,996 'blocklist':128,307,638 'branch':168,173,658,708,725,758,768 'brm':321 'built':109 'built-in':108 'call':121,231,238,266,297,804,814,850,858,916,923,1037 'case':799,977 'cat':193,494 'chain':873 'charact':1034 'check':123,491,718 'chmod':566 'ci':676 'claud':34,54,105,229,610,777 'claude/hooks':215 'claude/hooks/command-guard.py':217,568,601 'claude/settings.json':10,575,577 'clean':145,351,360 'clear':559 'code':35,55,106,230,240,250,611,778,844 'command':2,14,46,50,58,125,191,228,244,254,304,306,539,548,553,554,598,599,619,635,739,750,980,995,1052,1120 'command-guard':1,45,547,979 'command-guard.py':221,644 'common':894 'communic':839 'compact':825 'compos':870 'config':681,695 'confirm':162,385,406,433,456,478 'consequ':66 'contain':198 'content':902 'context':809,1114 'corrupt':79 'cover':888 'creat':208,216,581 'credenti':83,189,486,506 'critic':937 'cron':1088 'curl':196,496 'custom':636 'danger':13,42,49,94,226,806,895 'data':78,462,485 'databas':19,174,179,437,445,473 'db':183,185,466,468 'decis':543,761 'deep':1099 'default':132 'delet':77,136,149,319,925 'deploy':653,666,674 'destroy':461,483 'destruct':152,438,451,975 'direct':664 'doesn':578 'dri':369 'drop':20,176,178,186,442,469 'drop/truncate':453 'dry-run':368 'echo':194,495 'edg':976 'edit':59,639,699 'els':534 'email':1028 'env':499,688 'environ':945 'etc':826 'event':824,879 'everi':1035,1039 'exampl':651,677,701 'except':274,275 'execut':25,53,130,234,564,633 'exist':580 'exit':239,249,843,845,853 'explicit':160,341 'expos':82 'exposur':190 'extern':100,1021 'f':146,158,332,357,361,398,403,546,736 'fail':282 'featur':657 'file':60,148,197,366,507,682,696,901 'fire':783,797,1015 'first':371,436,672 'flag':75,527,540 'forc':17,155,372,379,381,401,703,711,721,737,764 'foundat':1075 'get':114,1041,1081 'git':144,150,153,156,163,169,359,423 'go':946 'goe':1129 'ground':1013 'guard':3,40,47,117,549,890,941,949,981,1053,1132 'guarded-when-you':1131 'guardrail':68 'hallucin':74 'hard':165,414,421,425 'histori':80,151,392,413 'hit':973 'hoc':1048 'hook':8,31,89,111,210,223,573,589,592,596,606,775,779,793,831,868,875,909,982,1014,1066 'ident':1012,1111 'ile':400 'import':255,257,259,261,1069 'independ':883 'infrastructur':63,938,1007 'inject':515,808 'input':267,290,293 'inspect':900 'instal':86,205,1055 'instar':1003,1077,1126 'instar.sh':1146,1147 'instead':347,516 'instruct':71 'integr':1102 'intercept':118,295 'irrevers':135,318 'job':968,1083 'json':258,591,691,834 'json.dumps':542,760 'json.load':272 'key':200,503 'layer':939,1000 'leakag':487 'len':531 'lifecycl':792 'list':364,642 'load':263 'log':815,1044 'main':671,745 'main/master/staging':728 'make':562 'manag':62 'manual':700 'master':746 'matcher':594 'memori':1113 'merg':669 'messag':248,524,550,630,991,1022,1106 'minut':1123 'misunderstood':70 'mix':431 'mkdir':213 'morn':993 'move':344 'multipl':874 'n':551 'name':285,288,300 'nblock':552 'need':1011 'nobodi':987 'non':141 'non-temporari':140 'notif':820,821 'npm/prisma':187 'npx':1125 'nuanc':717 'off-charact':1032 'one':999,1119 'op':439 'open':283 'oper':95,175,807,896 'orm':915 'os':262 'other':22 'overwrit':679,693 'p':214 'parallel':1096 'pars':280 'part':1058 'password':202 'path':143,342 'pattern':28,312,521,538,776 'payload':271,835 'payload.get':286,291 'pem':502 'persist':1110 'person':707 'personal/feature':724 'phone':1109 'point':786 'post':1030,1047 'post-hoc':1046 'posttoolus':810 'pretoolus':7,88,222,593,800 'preven':44 'prevent':921 'print':505,541,759 'printf':497 'prisma':470 'proceed':852 'product':655,662,665,689,694,748,929 'project':36,648 'project-specif':647 'protect':43,757,767 'push':18,154,157,172,373,377,382,396,402,704,712,722,734,765 'python':218,659,683,719 'python3':220,600 'r':320,327,348,374,393,416,440,464,492,660,684,731,743 'rather':631 'raw':918 're':260,953,960,1136,1144 're-not':1143 're-watch':1135 're.ignorecase':463 're.search':537,730,742 'real':65 'reason':313,545,763,860 'rebas':170 'receiv':627,832 'recoveri':827 'recur':1085 'regex':311 'regist':571,608 'remot':391,412,926 'replac':709 'requir':102 'reset':164,184,415,419,424,467,471,474 'resourc':927 'restart':609 'review':1049 'rewrit':390,411 'rf':16,138,335,622 'rm':15,137,334,339,621 'rule':308,310,518,522,525,528,532,650,713 'run':56,98,370,616,620,882,965,1089 'safe':1140 'safe-when-you':1139 'safeti':30,39,1002,1006,1067 'schedul':967,1084 'schema':446 'script':188,211,475,781 'secret':199,500,501,690 'secur':513 'see':988 'send':819,1019 'session':1040,1094,1118 'set':4 'setup':1060 'share':167 'shell':57 'show':246 'shown':314,864 'skill':85 'skill-command-guard' 'sleep':1092 'soft':429 'someth':1031 'source-jkheadley' 'spawn':1095 'specif':649,680,785,942 'sql':182,452,913,919 'stage':747 'state':818 'stdin':269,837 'stdout':204,489,509,842,862 'step':206,569,602 'still':983 'string':920 'surviv':1116 'sys':256 'sys.exit':276,302,556,560,751,771 'sys.stdin':273 'system':112,823,930 'tabl':177,444,449 'target':755 'task':1086,1100 'teach':26 'telegram':1101 'temporari':142 'token':201 'tool':101,120,237,265,284,287,289,292,299,791,803,813,849,857,908,1036 'tool_input.get':305 'topic-agent-framework' 'topic-agent-identity' 'topic-agent-infrastructure' 'topic-agent-memory' 'topic-agent-skills' 'topic-ai-agents' 'topic-ai-safety' 'topic-autonomous-agents' 'topic-claude-code' 'topic-cli' 'topic-cron' 'topic-job-scheduler' 'trash':346 'tri':270 'trigger':37 'truncat':180,447 'two':1104 'two-way':1103 'type':597,794 'understand':773 'untrack':147,365 'updat':817,829 'use':104,338,428,512,798,905 'user':161,388,409,435,459,481 'valid':912 'variabl':514 'verifi':604 'via':675,841 'watch':954,1137 'way':1105 'without':67,159 'word':38 'work':950 'worker':1097 'write':904,907 'x':567 'z':326,331,356 'za':325,330,355","prices":[{"id":"55ca8dcb-839a-43e1-83c7-fc21fc3a59e4","listingId":"57b61058-073d-4205-ae1d-d67f0308cd2a","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"JKHeadley","category":"instar","install_from":"skills.sh"},"createdAt":"2026-04-18T22:14:32.147Z"}],"sources":[{"listingId":"57b61058-073d-4205-ae1d-d67f0308cd2a","source":"github","sourceId":"JKHeadley/instar/command-guard","sourceUrl":"https://github.com/JKHeadley/instar/tree/main/skills/command-guard","isPrimary":false,"firstSeenAt":"2026-04-18T22:14:32.147Z","lastSeenAt":"2026-05-02T06:55:53.027Z"}],"details":{"listingId":"57b61058-073d-4205-ae1d-d67f0308cd2a","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"JKHeadley","slug":"command-guard","github":{"repo":"JKHeadley/instar","stars":59,"topics":["agent-framework","agent-identity","agent-infrastructure","agent-memory","agent-skills","ai-agents","ai-safety","autonomous-agents","claude-code","cli","cron","job-scheduler","llm","mcp","npm-package","open-source","persistency","telegram-bot","typescript","whatsapp"],"license":"mit","html_url":"https://github.com/JKHeadley/instar","pushed_at":"2026-05-02T05:23:59Z","description":"Persistent Claude Code agents with scheduling, sessions, memory, and Telegram.","skill_md_sha":"fb10bb432e0a00aa3f411eb9d7183f5acc41ef92","skill_md_path":"skills/command-guard/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/JKHeadley/instar/tree/main/skills/command-guard"},"layout":"multi","source":"github","category":"instar","frontmatter":{"name":"command-guard","license":"MIT","description":"Set up a PreToolUse hook in .claude/settings.json that blocks dangerous commands — rm -rf, force push, database drops, and others — before they execute. Teaches the pattern of safety hooks for any Claude Code project. Trigger words: safety, guard, block dangerous, protect, prevent destructive, safe mode, dangerous commands, risky operations."},"skills_sh_url":"https://skills.sh/JKHeadley/instar/command-guard"},"updatedAt":"2026-05-02T06:55:53.027Z"}}