From claude-code
Review bash commands for dangerous patterns and interpret exit codes correctly. Use when asked to "check this bash", "is this safe to run", "review this script", or when debugging a script that fails unexpectedly.
npx claudepluginhub agentic-utils/skills --plugin claude-codeThis skill uses the workspace's default tool permissions.
Review bash commands for dangerous patterns and interpret exit codes correctly.
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.
Automates semantic versioning and release workflow for Claude Code plugins: bumps versions in package.json, marketplace.json, plugin.json; verifies builds; creates git tags, GitHub releases, changelogs.
Review bash commands for dangerous patterns and interpret exit codes correctly.
Not every non-zero exit code is an error. The following commands use non-zero exits to convey information:
| Command | Exit 0 | Exit 1 | Exit 2+ |
|---|---|---|---|
grep / rg | Matches found | No matches (not an error) | Real error |
find | Success | Some directories inaccessible | Real error |
diff | No differences | Files differ (not an error) | Real error |
test / [ | Condition true | Condition false (not an error) | Real error |
Common mistake: treating grep exit 1 as an error in a pipeline, causing the whole script to abort when set -e is active. Fix:
# Wrong — aborts on no matches
grep "pattern" file.txt
# Correct — treats no-match as non-error
grep "pattern" file.txt || true
# Or check explicitly
if grep -q "pattern" file.txt; then
echo "found"
else
echo "not found" # exit 1, not an error
fi
These patterns can execute arbitrary code:
$() — command substitution` ` — backtick substitution<() / >() — process substitution=cmd at word-start (zsh) — equals expansion, bypasses binary allowlists# Dangerous: heredoc inside $()
$(cat <<EOF
rm -rf /
EOF
)
# Dangerous: setting IFS changes how word-splitting works
IFS=/ read -r a b <<< "$path"
# Can cause unexpected word splitting in subsequent commands
$LD_PRELOAD — injects shared libraries into subsequent processes$DYLD_INSERT_LIBRARIES — macOS equivalent$@ or $* — word-splits on spaces in argumentsThese zsh-specific patterns can bypass command allowlists or execute code through modules:
zmodload — loads zsh modules that enable dangerous operations (file I/O, TCP, pseudo-terminals)emulate -c — eval-equivalentsysopen, sysread, syswrite — low-level file descriptor operations via zsh/systemztcp, zsocket — network operations via zsh/netzf_rm, zf_mv, zf_chmod — builtin filesystem operations that bypass binary checksBefore running an unfamiliar script:
$var splits on spaces and globsset -e is active, will grep/diff/test exits cause unexpected aborts?rm or rm -rf present? What path does it target?$() or backtick expand user-controlled input?> or >> target a sensitive file?curl, wget, nc)?When asked to review a script, go through the checklist above and report: