Destructive Command Guardrails is a security claude skill built by Garry Tan. Best for: DevOps engineers and developers working in production environments need protection against accidental destructive operations..
Destructive Command Guardrails
Warn before executing destructive commands like rm -rf, DROP TABLE, force-push, and kubectl delete.
Skill instructions
name: careful version: 0.1.0 description: | Safety guardrails for destructive commands. Warns before rm -rf, DROP TABLE, force-push, git reset --hard, kubectl delete, and similar destructive operations. User can override each warning. Use when touching prod, debugging live systems, or working in a shared environment. Use when asked to "be careful", "safety mode", "prod mode", or "careful mode". (gstack) triggers:
- be careful
- warn before destructive
- safety mode allowed-tools:
- Bash
- Read
hooks:
PreToolUse:
- matcher: "Bash"
hooks:
- type: command command: "bash ${CLAUDE_SKILL_DIR}/bin/check-careful.sh" statusMessage: "Checking for destructive commands..."
- matcher: "Bash"
hooks:
<!-- AUTO-GENERATED from SKILL.md.tmpl — do not edit directly --> <!-- Regenerate: bun run gen:skill-docs -->
/careful — Destructive Command Guardrails
Safety mode is now active. Every bash command will be checked for destructive patterns before running. If a destructive command is detected, you'll be warned and can choose to proceed or cancel.
mkdir -p ~/.gstack/analytics
echo '{"skill":"careful","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}' >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
What's protected
| Pattern | Example | Risk |
|---------|---------|------|
| rm -rf / rm -r / rm --recursive | rm -rf /var/data | Recursive delete |
| DROP TABLE / DROP DATABASE | DROP TABLE users; | Data loss |
| TRUNCATE | TRUNCATE orders; | Data loss |
| git push --force / -f | git push -f origin main | History rewrite |
| git reset --hard | git reset --hard HEAD~3 | Uncommitted work loss |
| git checkout . / git restore . | git checkout . | Uncommitted work loss |
| kubectl delete | kubectl delete pod | Production impact |
| docker rm -f / docker system prune | docker system prune -a | Container/image loss |
Safe exceptions
These patterns are allowed without warning:
rm -rf node_modules/.next/dist/__pycache__/.cache/build/.turbo/coverage
How it works
The hook reads the command from the tool input JSON, checks it against the
patterns above, and returns permissionDecision: "ask" with a warning message
if a match is found. You can always override the warning and proceed.
To deactivate, end the conversation or start a new one. Hooks are session-scoped.
Use this skill
Most skills are portable instruction packages. Claude Code supports SKILL.md directly. Other agents can use adapted files like AGENTS.md, .cursorrules, and GEMINI.md.
Claude Code
Save SKILL.md into your Claude Skills folder, then restart Claude Code.
mkdir -p ~/.claude/skills/destructive-command-guardrails && curl -L "https://raw.githubusercontent.com/garrytan/gstack/HEAD/careful/SKILL.md" -o ~/.claude/skills/destructive-command-guardrails/SKILL.mdInstalls to ~/.claude/skills/destructive-command-guardrails/SKILL.md.
Use cases
DevOps engineers and developers working in production environments need protection against accidental destructive operations.
Reviews
No reviews yet. Be the first to review this skill.
No signup required
Stats
Creator
GGarry Tan
@garrytan