Templates
D

Dangerous Command Guard Hook

Comprehensive PreToolUse guard that blocks a wide range of risky shell commands including force deletes, database drops, disk operations, permission changes, and network-level destructive actions. Configurable blocklist with categorized threat patterns.

HookCommunitysecurityv1.0.0MIT
0 views0 copies

Hook Type

PreToolUse with Bash matcher -- Intercepts and validates all shell commands.

Description

This hook provides comprehensive protection against dangerous shell commands across multiple risk categories: filesystem destruction, database operations, system configuration, network operations, and git destructive actions. Each category has specific patterns that are checked before any Bash command executes.

Patterns/Rules

Blocked Command Categories

CategoryPatternsRisk
Filesystemrm -rf /, rm -rf ~, rm -rf .Data loss
DatabaseDROP DATABASE, DROP TABLE, TRUNCATEData loss
Systemmkfs, dd if=, fdisk, chmod -R 777System damage
Gitpush --force, reset --hard, clean -fdxHistory loss
Networkiptables -F, ufw disableSecurity breach
Processkill -9 1, killall, pkill -9System instability

Configuration

Hook Script (scripts/guard-commands.sh)

#!/bin/bash
# guard-commands.sh -- Comprehensive dangerous command blocker

INPUT=$(cat)
CMD=$(echo "$INPUT" | jq -r '.tool_input.command')
CMD_LOWER=$(echo "$CMD" | tr '[:upper:]' '[:lower:]')

# Category: Filesystem Destruction
FS_PATTERNS=("rm -rf /" "rm -rf ~" "rm -rf ." "rm -rf *" "shred" "wipefs")

# Category: Database Destruction
DB_PATTERNS=("drop database" "drop table" "drop schema" "truncate " "delete from" "db.dropdatabase")

# Category: System Damage
SYS_PATTERNS=("mkfs" "dd if=" "fdisk" "chmod -r 777" "chmod 777 /" "chown -r root")

# Category: Git Destructive
GIT_PATTERNS=("git push --force" "git push -f " "git reset --hard" "git clean -fd" "git clean -fx")

# Category: Network/Security
NET_PATTERNS=("iptables -f" "ufw disable" "firewall-cmd --panic")

# Category: Process Destruction
PROC_PATTERNS=("kill -9 1" "killall" "pkill -9")

check_patterns() {
  local category=$1
  shift
  local patterns=("$@")
  for pattern in "${patterns[@]}"; do
    if echo "$CMD_LOWER" | grep -q "$pattern"; then
      echo "BLOCKED [$category]: Command matches dangerous pattern '$pattern'" >&2
      echo "Command: $CMD" >&2
      echo "If you need to run this command, do it manually outside Claude Code." >&2
      exit 2
    fi
  done
}

check_patterns "FILESYSTEM" "${FS_PATTERNS[@]}"
check_patterns "DATABASE" "${DB_PATTERNS[@]}"
check_patterns "SYSTEM" "${SYS_PATTERNS[@]}"
check_patterns "GIT" "${GIT_PATTERNS[@]}"
check_patterns "NETWORK" "${NET_PATTERNS[@]}"
check_patterns "PROCESS" "${PROC_PATTERNS[@]}"

exit 0

Settings Configuration

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "bash ./scripts/guard-commands.sh"
          }
        ]
      }
    ]
  }
}

Action

Before any Bash command:

  1. Extracts the command from tool input
  2. Checks against all six threat categories
  3. If dangerous pattern found: blocks with category label and explanation
  4. If safe: allows execution
  5. Message suggests running dangerous commands manually if truly needed
Community

Reviews

Write a review

No reviews yet. Be the first to review this template!

Similar Templates

~

Pre-Commit Security Scanner

Pre-commit hook that scans staged files for hardcoded secrets, API keys, passwords, and sensitive data patterns before allowing commits.

Hook
10
View ā†’
~

Agents Md Watcher

Streamline your workflow with this automatically, loads, agents, configuration. Includes structured workflows, validation checks, and reusable patterns for automation.

Hook
00
View ā†’
~

Automated Build Inspector

Boost productivity using this automatically, trigger, build, processes. Includes structured workflows, validation checks, and reusable patterns for automation.

Hook
00
View ā†’