Search everything...

Marketplace

claude-warden

Smart command safety filter for Claude Code

npx claudepluginhub banyudu/claude-warden

README

View full README on GitHub

1 Plugin

warden

Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones

v2.10.1

Related Marketplaces

nextjs

139.3K

0plugins

No description available.

thedotmack

72.2K

0plugins

Plugins by Alex Newman (thedotmack)

caveman

51.4K

0plugins

Ultra-compressed communication mode for Claude Code. Cuts ~75% of tokens while keeping full technical accuracy.

Stats

Plugins1

Stars23

UpdatedApr 29, 2026

Links

View on GitHub View Marketplace JSON

Help us improve

Share bugs, ideas, or general feedback.

claude-warden Marketplace - Claude Code Plugins | ClaudePluginHub

Back to Marketplaces

Marketplace

claude-warden

Smart command safety filter for Claude Code

npx claudepluginhub banyudu/claude-warden

README

Claude Warden

Smart command safety filter for Claude Code. Parses shell commands, evaluates each against configurable safety rules, and returns allow/deny/ask decisions — eliminating unnecessary permission prompts while blocking dangerous commands.

The problem

Claude Code's permission system is all-or-nothing. In the default mode, you're prompted for every shell command — even ls, cat, and grep. This creates a painful UX where you're clicking "Allow" hundreds of times per session on obviously safe commands. The alternative (yolo mode) disables all prompts, which is dangerous.

There's no middle ground: you can't say "allow git but block git push --force", or "allow ssh to my dev server but prompt for production". And compound commands like npm run build && npm test trigger a single opaque prompt with no visibility into what's actually being run.

How Warden solves it

Warden hooks into Claude Code's PreToolUse event and parses every shell command into an AST using bash-parser. This means it doesn't just see npm run build && git push --force as a single string — it walks the AST to extract each individual command, then evaluates them independently against a configurable rule engine.

This AST-based approach enables:

Pipe and chain decomposition: cat file | grep pattern | wc -l is parsed into three commands, each evaluated separately. All safe → auto-allow. One dangerous → deny the whole pipeline.
Argument-aware rules: git status → allow, git push --force → prompt. rm temp.txt → allow, rm -rf / → prompt. The evaluator matches against argument patterns, not just command names.
Recursive evaluation of remote commands: ssh devserver 'cat /etc/hosts' → Warden extracts the remote command, parses it through the same pipeline, and allows it. ssh devserver 'sudo rm -rf /' → denied. Same for docker exec, kubectl exec, and sprite exec.
Shell wrapper unwrapping: sh -c "npm run build && npm test" → the inner command is extracted and recursively parsed/evaluated, not treated as an opaque string.
Env prefix handling: NODE_ENV=production npm run build → correctly evaluates npm run build, ignoring the env prefix.
Recursive subshell evaluation: Commands with $() or backticks are extracted, parsed, and recursively evaluated through the same pipeline. echo $(cat file.txt) → both echo and cat are evaluated individually. Only unparseable constructs (heredocs, complex shell syntax) fall back to prompting when askOnSubshell is enabled.
Feedback on blocked commands: When a command is blocked or flagged, Warden provides a system message explaining why and a YAML snippet showing how to allow it in your config.

The result: 100+ common dev commands auto-approved, dangerous commands auto-denied, everything else configurable — with zero changes to how you use Claude Code.

Before and after

Command	Without Warden	With Warden
`ls -la`	Prompted	Auto-allowed
`cat file \| grep pattern \| wc -l`	Prompted	Auto-allowed (3 safe commands)
`npm run build && npm test`	Prompted	Auto-allowed
`git push --force origin main`	Prompted	Prompted (force push is risky)
`sudo rm -rf /`	Prompted	Auto-denied (sudo is blocked)
`ssh devserver cat /etc/hosts`	Prompted	Auto-allowed (trusted host + safe cmd)
`ssh devserver sudo rm -rf /`	Prompted	Auto-denied (trusted host + dangerous cmd)

Warden vs Auto Mode

Claude Code recently introduced Auto Mode, which uses a background classifier model to approve or block actions without manual prompts. Here's how it compares to Warden:

View full README on GitHub

1 Plugin

warden

Smart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones

v2.10.1

Related Marketplaces

nextjs

139.3K

0plugins

No description available.

thedotmack

72.2K

0plugins

Plugins by Alex Newman (thedotmack)

caveman

51.4K

0plugins

Ultra-compressed communication mode for Claude Code. Cuts ~75% of tokens while keeping full technical accuracy.

Stats

Plugins1

Stars23

UpdatedApr 29, 2026

Links

View on GitHub View Marketplace JSON

Help us improve

Share bugs, ideas, or general feedback.

Claude Warden

The problem

How Warden solves it

This AST-based approach enables:

Pipe and chain decomposition: cat file | grep pattern | wc -l is parsed into three commands, each evaluated separately. All safe → auto-allow. One dangerous → deny the whole pipeline.
Argument-aware rules: git status → allow, git push --force → prompt. rm temp.txt → allow, rm -rf / → prompt. The evaluator matches against argument patterns, not just command names.
Recursive evaluation of remote commands: ssh devserver 'cat /etc/hosts' → Warden extracts the remote command, parses it through the same pipeline, and allows it. ssh devserver 'sudo rm -rf /' → denied. Same for docker exec, kubectl exec, and sprite exec.
Shell wrapper unwrapping: sh -c "npm run build && npm test" → the inner command is extracted and recursively parsed/evaluated, not treated as an opaque string.
Env prefix handling: NODE_ENV=production npm run build → correctly evaluates npm run build, ignoring the env prefix.
Recursive subshell evaluation: Commands with $() or backticks are extracted, parsed, and recursively evaluated through the same pipeline. echo $(cat file.txt) → both echo and cat are evaluated individually. Only unparseable constructs (heredocs, complex shell syntax) fall back to prompting when askOnSubshell is enabled.
Feedback on blocked commands: When a command is blocked or flagged, Warden provides a system message explaining why and a YAML snippet showing how to allow it in your config.

The result: 100+ common dev commands auto-approved, dangerous commands auto-denied, everything else configurable — with zero changes to how you use Claude Code.

Before and after

Command	Without Warden	With Warden
`ls -la`	Prompted	Auto-allowed
`cat file \| grep pattern \| wc -l`	Prompted	Auto-allowed (3 safe commands)
`npm run build && npm test`	Prompted	Auto-allowed
`git push --force origin main`	Prompted	Prompted (force push is risky)
`sudo rm -rf /`	Prompted	Auto-denied (sudo is blocked)
`ssh devserver cat /etc/hosts`	Prompted	Auto-allowed (trusted host + safe cmd)
`ssh devserver sudo rm -rf /`	Prompted	Auto-denied (trusted host + dangerous cmd)

Warden vs Auto Mode

Claude Code recently introduced Auto Mode, which uses a background classifier model to approve or block actions without manual prompts. Here's how it compares to Warden: