Skill

kastell-careful

Intercepts destructive 'kastell destroy' and 'kastell restore' Bash commands, blocking execution until explicit user confirmation via re-invocation of /kastell-careful.

Bash

Git

security

devops

npx claudepluginhub kastelldev/kastell

Configuration

Model invocation: Disabled — user-triggered only

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Safety guard that intercepts `kastell destroy` and `kastell restore` commands. Requires explicit confirmation before any destructive operation proceeds.

SKILL.md

Similar Skills

guard

Blocks destructive Bash commands like rm -rf, DROP TABLE, git force-push, reset --hard, and restricts file edits to a specific directory. Use for protection on critical systems.

2 tools

ultraship

Safety Guard — Prevent Destructive Operations

149

Blocks destructive commands like rm -rf, git --force, DROP TABLE, docker prune, and restricts file edits to specified directories. Use on production systems and with autonomous agents.

awesome-claude-notes

safety-guard

175.2k

Blocks destructive commands like rm -rf, git --force-push, kubectl delete; restricts edits to specified directories for production systems or autonomous agents.

everything-claude-code

Stats

Stars50

Forks2

Last CommitMar 19, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Kastell Careful

Purpose

Safety guard that intercepts kastell destroy and kastell restore commands. Requires explicit confirmation before any destructive operation proceeds.

When to Use

Invoke /kastell:careful before a session that involves server destruction or restoration. The skill-scoped prompt hook activates and monitors all Bash commands until the skill session ends.

Current State

Changed files: !git diff --name-only 2>/dev/null || echo "Not a git repo" Uncommitted: !git status --short 2>/dev/null || echo "Not a git repo"

How It Works

Three layers of protection work together:

Layer 1: Plugin hooks.json — Always active (plugin scope). Silently blocks kastell destroy and kastell server-delete via command hook (regex match, exit 2). No confirmation offered — hard block.

Layer 2: This skill's prompt hook — Active only during /kastell:careful session. Uses an LLM to detect destroy AND restore intent in any Bash command. Returns {"decision": "block"} with a reason message explaining the block. Covers restore which Layer 1 does NOT cover.

Layer 3: KASTELL_SAFE_MODE — Runtime guard embedded in CLI code itself (isSafeMode()). Last line of defense at the application layer.

The three layers are complementary: Layer 1 stops silent automation, Layer 2 provides in-session confirmation UX with semantic understanding, Layer 3 enforces safe mode at execution time.

Scope

Only kastell destroy and kastell restore are intercepted. Other commands (including kastell audit, kastell lock, kastell status) pass through without delay.

Confirmation Flow

When a destructive command is detected:

Hook blocks execution

Reason message shown to user explaining what was detected

User must explicitly confirm to proceed (re-invoke with approval)