Templates
B

Block Destructive Commands Hook

Blocks dangerous shell commands like rm -rf, git push --force, and database drops before they execute. A critical safety net that prevents catastrophic mistakes by intercepting destructive Bash commands with exit code 2.

HookCommunitysecurityv1.0.0MIT
0 views0 copies

Hook Type

PreToolUse with Bash matcher -- Intercepts Bash commands before execution.

Description

This hook is a safety net that blocks known-dangerous shell commands before Claude can execute them. It catches destructive patterns like rm -rf, git push --force, DROP TABLE, and other commands that could cause irreversible damage. The blocked command list is configurable.

Patterns/Rules

Default blocked patterns:

  • rm -rf -- Recursive force delete
  • git push --force / git push -f -- Force push (overwrites remote history)
  • git reset --hard -- Discards all local changes
  • git clean -fd -- Deletes untracked files permanently
  • DROP TABLE / DROP DATABASE -- Database destruction
  • TRUNCATE -- Irreversible data deletion
  • mkfs -- Filesystem formatting
  • dd if= -- Raw disk writing
  • :(){ :|:& };: -- Fork bomb

Configuration

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "bash -c 'INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r \".tool_input.command\"); BLOCKED_PATTERNS=(\"rm -rf\" \"git push --force\" \"git push -f\" \"git reset --hard\" \"git clean -fd\" \"DROP TABLE\" \"DROP DATABASE\" \"TRUNCATE \" \"mkfs\" \"dd if=\" \":(){ :|:& };:\"); for pattern in \"${BLOCKED_PATTERNS[@]}\"; do if echo \"$CMD\" | grep -qi \"$pattern\"; then echo \"BLOCKED: Command contains dangerous pattern: $pattern\" >&2; exit 2; fi; done; exit 0'"
          }
        ]
      }
    ]
  }
}

Script-Based Version (easier to maintain)

Save as scripts/block-dangerous-commands.sh:

#!/bin/bash
# block-dangerous-commands.sh
INPUT=$(cat)
CMD=$(echo "$INPUT" | jq -r '.tool_input.command')

BLOCKED_PATTERNS=(
  "rm -rf"
  "git push --force"
  "git push -f"
  "git reset --hard"
  "git clean -fd"
  "git branch -D"
  "DROP TABLE"
  "DROP DATABASE"
  "TRUNCATE "
  "mkfs"
  "dd if="
  "chmod -R 777"
  "chown -R"
  "> /dev/sda"
)

for pattern in "${BLOCKED_PATTERNS[@]}"; do
  if echo "$CMD" | grep -qi "$pattern"; then
    echo "BLOCKED: Command contains dangerous pattern: '$pattern'" >&2
    echo "Command was: $CMD" >&2
    exit 2
  fi
done

exit 0

Then configure:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "bash ./scripts/block-dangerous-commands.sh"
          }
        ]
      }
    ]
  }
}

Action

Before any Bash command executes:

  1. The hook receives the command as JSON on stdin
  2. Extracts the command string and checks against all blocked patterns
  3. If a dangerous pattern is found: logs the reason to stderr and exits with code 2 (blocks execution)
  4. If no match: exits with code 0 (allows execution)
Community

Reviews

Write a review

No reviews yet. Be the first to review this template!

Similar Templates

~

Pre-Commit Security Scanner

Pre-commit hook that scans staged files for hardcoded secrets, API keys, passwords, and sensitive data patterns before allowing commits.

Hook
10
View ā†’
~

Agents Md Watcher

Streamline your workflow with this automatically, loads, agents, configuration. Includes structured workflows, validation checks, and reusable patterns for automation.

Hook
00
View ā†’
~

Automated Build Inspector

Boost productivity using this automatically, trigger, build, processes. Includes structured workflows, validation checks, and reusable patterns for automation.

Hook
00
View ā†’