An open-source tool called Destructive Command Guard has passed 3,000 GitHub stars by doing something the AI coding-agent vendors mostly do not: it sits between the agent and your shell and blocks catastrophic commands -- like git reset --hard, rm -rf on your source folder, or DROP TABLE users -- before they can execute. It is the community's answer to a real fear, that an AI agent will run one wrong command and destroy hours of uncommitted work in milliseconds.
Key facts
- The tool intercepts and blocks destructive git, filesystem, and database commands out of the box, with sub-millisecond latency (SIMD-accelerated filtering).
- It supports Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, VS Code Copilot Chat, Cursor, Hermes Agent, and Grok, among others.
- More than 3,000 stars, 1,761 commits, and a latest release (v0.6.6) shipped the day before -- signs of active, daily development.
- Built by Jeffrey Emanuel (concept and Python/Rust implementation) and Darin Gordon (Rust port). GitHub repo.
The hook is the failure mode everyone who uses these tools has quietly worried about. AI coding agents run shell commands autonomously. Most of the time that is fine. But an agent that misreads a situation can run rm -rf on the wrong directory or git reset --hard over uncommitted changes, and those commands are irreversible -- the work is simply gone. Destructive Command Guard is a guardrail that sits in the path and refuses the dangerous ones before they reach the shell.
Background for the non-expert: a "hook" is a small program that a coding agent calls before it runs a command, giving a third-party tool a chance to inspect and veto that command. This is smarter than a simple word filter. The tool does "smart context detection" -- it will not block grep "rm -rf" (which is just searching for that text) but will block rm -rf / (which actually executes it), and it scans inside heredocs and inline scripts to catch things like python -c "os.remove(...)". It ships with more than 50 security packs covering databases, Kubernetes, Docker, cloud providers, and Terraform, and it is "fail-open" by design: if it times out or hits a parse error, it lets the command through rather than freezing your workflow.
Think of it like a spell-checker that only interrupts you when you are about to send something truly damaging -- not flagging every mention of a dangerous word, but stepping in exactly when the dangerous thing is about to actually happen, and getting out of the way otherwise.
Why it matters: this is the fourth convergence point in a week defined by the question "what is your coding agent actually doing?" A token-overhead teardown showed agents sending far more than you think; a wire-level analysis alleged one agent uploads entire repositories; a security benchmark ranked which models catch bugs. Destructive Command Guard is the citizen response -- developers building the shields the vendors did not ship by default. That it supports nearly every major agent, including the same Grok Build CLI flagged this week for exfiltration, makes it something like an open-source immune system for the whole coding-agent ecosystem. It also rhymes with the token-overhead finding that one agent silently ignored its instruction file: the recurring pattern is that vendors optimize for getting the agent launched and productive, and the community fills the safety gap.
The honest caveat: a guard like this is a safety net, not a security boundary. It blocks known-dangerous command patterns, but a determined or novel failure will find paths it does not cover, and its agent-specific "trust levels" are, by the project's own description, advisory labels rather than hard enforcement. The fail-open design that keeps it from breaking your workflow also means a timeout lets commands through. It meaningfully reduces the odds of the common catastrophes -- the accidental rm -rf, the reflexive git reset --hard -- which is genuinely valuable. But the deeper lesson of the week stands: the real fix for agent safety is sandboxing and least-privilege, and a command guard is a pragmatic layer on top, not a substitute for it.
Originally published on Ground Truth, where every claim is checked against the primary source.
Top comments (0)