This skill should be used when a command is blocked by claude-guard, when the response contains "BLOCKED by claude-guard", when the user asks "why was my command blocked", "what commands are blocked", "guard rules", "safety rules", or when Claude is about to execute a potentially dangerous command. Covers git force push, git reset --hard, git checkout --, git clean, git commit --no-verify, rm -rf, chmod 777, DROP TABLE, TRUNCATE, DELETE without WHERE, docker system prune, docker compose down -v, kubectl delete, terraform destroy, aws s3 rm, gh repo delete, Route53 delete, and credential exposure warnings after file writes.
From claude-guardnpx claudepluginhub hex/claude-marketplace --plugin claude-guardThis skill uses the workspace's default tool permissions.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
The claude-guard plugin enforces a three-tier safety model that prevents destructive operations before they execute and warns about credential exposure after file writes. Understanding these tiers enables working effectively within the safety boundaries and selecting safe alternatives without triggering blocks.
Catastrophic, irreversible commands that must never be executed by an AI agent. When a command is blocked at this tier, inform the user that the command must be run manually if truly needed. Do not attempt to find workarounds or alternative phrasings.
Categories:
rm -rf /, rm -rf ~, rm -rf $HOMEdd writing to block devices, mkfs, fdiskDROP DATABASE, DROP SCHEMAkubectl delete namespace, kubectl delete --allaws s3 rb --force, aws ec2 terminate-instances, aws rds delete-db-instance, aws rds delete-db-clustergcloud projects deletegh repo deleteaws route53 delete-hosted-zoneDangerous commands that have a safer alternative. The user is prompted for confirmation before execution. If the user approves, the command proceeds. If denied, suggest the safer alternative listed below.
Git Operations:
| Blocked Command | Safe Alternative |
|---|---|
git push --force / -f | git push --force-with-lease |
git reset --hard | git stash first, then reset |
git reset --merge | git stash first, then reset |
git checkout -- . or git checkout -- <path> | git stash or git diff first |
git restore (not --staged) | git restore --staged or git stash |
git clean -f | git clean -n (dry run) first |
git branch -D | git branch -d (merge check) |
git stash drop/clear | git stash list first |
git commit --no-verify | Remove flag, fix hook failures |
git push --no-verify | Remove flag, fix hook failures |
Filesystem Operations:
| Blocked Command | Safe Alternative |
|---|---|
rm -rf <directory> (also rm -r -f, rm --recursive --force) | List contents first, ask user to confirm |
mv <path> /dev/null | Use rm with confirmation, or move to backup location |
chmod 777 | Use specific permissions (755, 644) |
Docker Operations:
| Blocked Command | Safe Alternative |
|---|---|
docker system prune | docker system prune --dry-run first |
docker rm -f | docker stop then docker rm |
docker volume rm | docker volume ls first |
docker network rm | docker network ls first |
docker compose down -v | docker compose down (no -v) |
docker rmi -f | docker rmi without force |
Database Operations:
| Blocked Command | Safe Alternative |
|---|---|
DROP TABLE | Add IF EXISTS, confirm with user |
TRUNCATE | Use DELETE with WHERE clause |
DELETE FROM without WHERE | Add WHERE clause or confirm with user |
Kubernetes Operations:
| Blocked Command | Safe Alternative |
|---|---|
kubectl delete <resource> | kubectl delete --dry-run=client first |
Cloud Operations (AWS/GCP/Azure):
| Blocked Command | Safe Alternative |
|---|---|
aws s3 rm --recursive | aws s3 rm --dryrun first |
gcloud compute instances delete | List instances first, confirm with user |
gcloud sql instances delete | Verify instance name, confirm with user |
gsutil rm -r | gsutil ls first |
az group delete | az group delete --dry-run first |
az vm delete | List VMs first, confirm with user |
az storage account delete | List storage first, confirm with user |
az sql server delete | Verify server name, confirm with user |
Infrastructure as Code:
| Blocked Command | Safe Alternative |
|---|---|
terraform destroy | terraform plan -destroy first |
terraform apply -destroy | terraform plan -destroy first |
pulumi destroy | pulumi preview --diff first |
cdk destroy | cdk diff first |
GitHub CLI:
| Blocked Command | Safe Alternative |
|---|---|
gh release delete | gh release list first |
gh secret delete | gh secret list first |
DNS Operations:
| Blocked Command | Safe Alternative |
|---|---|
aws route53 change-resource-record-sets (DELETE action) | List records first, confirm with user |
gcloud dns managed-zones delete | gcloud dns managed-zones list first |
az network dns zone delete | az network dns zone list first |
Detected after file writes. These do not block execution but add warning context. Review the warning and take corrective action if credentials were accidentally written.
Credential Patterns Detected:
Destructive SQL in Files:
DROP TABLE/DATABASE/SCHEMA/INDEX statementsTRUNCATE statementsDELETE FROM without WHERE clauseScan scope: Credential patterns are checked in all written files except .git/, .env.example, .env.template, .env.sample, node_modules/, and lock files (package-lock.json, yarn.lock, pnpm-lock.yaml, Podfile.lock, go.sum, Cargo.lock). Destructive SQL scanning only applies to .sql, .py, .js, .ts, .rb, .go, .java, .php, .sh, and .bash files.
The guard uses context-aware matching to avoid false positives. Patterns are only matched against executed code, not string data:
echo, printf, grep, sed, awk, git commit -m, etc. are treated as data and not matched--notes, --body, --title, -m, --message are treated as data (e.g., gh release create --notes "covers DROP TABLE" is safe)MSG="git push --force" is a variable assignment, not executed# is ignoredbash -c, eval, source, pipe | bash — string arguments to these ARE matched because they will be executedbash <(curl ...), source <(wget ...) — executes arbitrary remote codepython -c, ruby -e, perl -e, node -e with destructive patterns are blockedCommands are normalized before matching to prevent evasion:
/usr/bin/git becomes gitgit push --force becomes git push --forceenv wrappers stripped: env VAR=val git push --force becomes git push --forcegit -c config stripped: git -c user.name=x push --force becomes git push --forceThe following commands are always permitted, even if they partially match a blocked pattern:
git checkout -b (creating a new branch)git checkout --orphan (creating an orphan branch)git restore --staged / -S (unstaging files, not modifying working tree)git clean -n / --dry-run (previewing what would be removed)git push --force-with-lease / --force-if-includesrm -rf /tmp/*, /var/tmp/*, $TMPDIR/* (temp directory cleanup)docker system prune --dry-runkubectl delete --dry-runaws s3 rm --dryrun, aws ... --dry-run (AWS dry run)az ... --dry-run (Azure dry run)Before executing commands, verify they follow these patterns:
--force-with-lease instead of --forcels before using rm -rfgit clean -n)docker system prune --dry-run)WHERE clauses in DELETE statements--dryrun/--dry-run flags when availableplan or preview before destroyWhen writing files that handle configuration or authentication:
process.env.API_KEY, os.environ["SECRET"], ${VAR}).env.example files with placeholder values for documentationFor debugging false positives or understanding guard decisions, set CLAUDE_GUARD_EXPLAIN=1 in the environment. The guard will output its decision pipeline to stderr without affecting the JSON protocol on stdout.
For the authoritative and up-to-date list of all patterns, read the pack files directly:
$CLAUDE_PLUGIN_ROOT/hooks/scripts/guard/packs/core.py$CLAUDE_PLUGIN_ROOT/hooks/scripts/guard/packs/cloud.py$CLAUDE_PLUGIN_ROOT/hooks/scripts/guard/packs/infra.py$CLAUDE_PLUGIN_ROOT/hooks/scripts/guard/packs/cicd.py$CLAUDE_PLUGIN_ROOT/hooks/scripts/guard/packs/dns.py$CLAUDE_PLUGIN_ROOT/hooks/scripts/guard/packs/credentials.pyThe tables in this skill provide a quick reference, but the pack files are the definitive source if discrepancies arise.