Skill

safety-guard

From ecc

Blocks destructive commands like rm -rf, git force-push, kubectl delete on production systems and autonomous agents. Locks file edits to specific directories.

Bash

Install

npx claudepluginhub krishnendu409/everything-claude-free-version

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When working on production systems

SKILL.md

Similar Skills

deployment-patterns

Provides deployment strategies (rolling, blue-green, canary), multi-stage Dockerfiles for Node.js, health checks, rollback plans, and production checklists for web apps.

everything-claude-code

158.8k

configure-ecc

Interactively installs Everything Claude Code skills and rules to user-level (~/.claude) or project-level (.claude) directories, verifies paths, and optimizes files. Activate on 'configure ecc' or setup requests.

everything-claude-code

158.8k

defi-amm-security

Provides security checklist and hardened patterns for Solidity DeFi AMM contracts, liquidity pools, and swap flows. Covers reentrancy, CEI ordering, donation attacks, oracle manipulation, slippage, admin controls, and integer math.

everything-claude-code

158.8k

Stats

Stars0

Forks0

Last CommitApr 10, 2026

Used By17 plugins

Actions

View Source View Plugin View on GitHub View README

Safety Guard — Prevent Destructive Operations

When to Use

When working on production systems
When agents are running autonomously (full-auto mode)
When you want to restrict edits to a specific directory
During sensitive operations (migrations, deploys, data changes)

How It Works

Three modes of protection:

Mode 1: Careful Mode

Intercepts destructive commands before execution and warns:

Watched patterns:
- rm -rf (especially /, ~, or project root)
- git push --force
- git reset --hard
- git checkout . (discard all changes)
- DROP TABLE / DROP DATABASE
- docker system prune
- kubectl delete
- chmod 777
- sudo rm
- npm publish (accidental publishes)
- Any command with --no-verify

When detected: shows what the command does, asks for confirmation, suggests safer alternative.

Mode 2: Freeze Mode

Locks file edits to a specific directory tree:

/safety-guard freeze src/components/

Any Write/Edit outside src/components/ is blocked with an explanation. Useful when you want an agent to focus on one area without touching unrelated code.

Mode 3: Guard Mode (Careful + Freeze combined)

Both protections active. Maximum safety for autonomous agents.

/safety-guard guard --dir src/api/ --allow-read-all

Agents can read anything but only write to src/api/. Destructive commands are blocked everywhere.

Unlock

/safety-guard off

Implementation

Uses PreToolUse hooks to intercept Bash, Write, Edit, and MultiEdit tool calls. Checks the command/path against the active rules before allowing execution.

Integration

Enable by default for codex -a never sessions
Pair with observability risk scoring in ECC 2.0
Logs all blocked actions to ~/.claude/safety-guard.log