Your AI Agent Just Ran rm -rf / — How to Stop It Before It Happens

elad — Fri, 13 Mar 2026 07:52:10 +0000

We gave AI agents the keys to our terminal. It was only a matter of time before one tried to burn the house down.

The Problem Nobody Talks About

Claude Code is incredible. You describe what you want, and it writes code, runs tests, manages git — all autonomously. But here's the thing: every Bash command it runs has the same permissions as you.

That means when Claude Code decides to "clean up" your project, it can run:

rm -rf .

When it tries to fix a git issue, it might run:

git push --force origin main

When it's debugging a database migration:

DROP DATABASE production;

These aren't hypothetical. AI agents make mistakes. They hallucinate commands. They misinterpret context. And unlike a human who pauses before hitting Enter on something dangerous, an AI agent just executes.

Claude Code Hooks: The Interception Point

Claude Code introduced hooks — a mechanism that lets you run custom commands before a tool executes. The PreToolUse hook fires before every Bash command, giving you a chance to inspect and block it.

The hook protocol is simple:

Claude Code is about to run a Bash command
It sends the command as JSON to your hook via stdin
Your hook returns a JSON response with "permissionDecision": "allow" or "deny"
Claude Code respects the decision

This is powerful, but building your own safety rules from scratch means maintaining regex patterns, tracking edge cases, and covering dozens of dangerous command families. That's a full-time job.

Enter shellfirm: 100+ Safety Rules, One Command to Install

shellfirm is an open-source tool that intercepts dangerous shell commands before they execute. It ships with 100+ built-in patterns covering 9 ecosystems — filesystem, git, Kubernetes, Terraform, AWS, databases, Docker, and more.

Setup takes 30 seconds:

# Install shellfirm
npm install -g @shellfirm/cli

# Connect to Claude Code (installs hooks + MCP server automatically)
shellfirm connect claude-code

That's it. shellfirm is now watching every command Claude Code runs.

What happens under the hood

When Claude Code tries to run git push --force origin main, here's the flow:

Claude Code: "I'll fix this by force pushing"
     |
     v
PreToolUse Hook fires
     |
     v
shellfirm check --stdin --format json --exit-code
     |
     v
+-------------------------------------+
| Pattern matched: git:force_push     |
| Severity: HIGH                      |
| Blast radius: RESOURCE              |
| Decision: DENY                      |
|                                     |
| Alternative: git push               |
|   --force-with-lease                |
|   (checks remote is up-to-date)     |
+-------------------------------------+
     |
     v
Claude Code: blocked. Uses safer alternative instead.

The command never executes. Claude Code receives the denial with a suggested alternative, and adapts.

Real Patterns shellfirm Catches

Here's a sample of what shellfirm blocks out of the box:

Category	Dangerous Command	What shellfirm Suggests
Filesystem	`rm -rf /`	Scoped deletion with explicit path
Git	`git push --force`	`git push --force-with-lease`
Git	`git reset --hard`	`git stash` before reset
Kubernetes	`kubectl delete namespace`	Add `--dry-run` first
Terraform	`terraform destroy`	`terraform plan -destroy` to review
Database	`DROP DATABASE`	Backup first, use `IF EXISTS`
Docker	`docker system prune -af`	Remove `--all` flag
AWS	`aws ec2 terminate-instances`	Verify instance ID carefully

Each pattern includes severity levels (Low, Medium, High, Critical) and blast radius detection (Project, Resource, or Machine-wide).

The MCP Server: Teaching Claude to Ask Before Acting

shellfirm doesn't just block commands — it also installs an MCP (Model Context Protocol) server that gives Claude Code on-demand safety tools:

check_command — "Is this command safe to run?"
explain_risk — "What could go wrong with this command?"
suggest_alternative — "What's a safer way to do this?"
get_policy — "What are the current safety rules?"

This means Claude Code can proactively check commands before attempting them, rather than getting blocked and retrying. It learns to work with the safety rules.

Configure It Your Way

shellfirm is fully customizable. Want to be strict about git but relaxed about filesystem operations? Easy:

# ~/.shellfirm/settings.yaml
enabled_groups:
  - git
  - git-strict
  - kubernetes
  - terraform
  - database

agent:
  auto_deny_severity: High  # Block High and Critical severity

Need project-specific rules? Drop a .shellfirm.yaml in your repo:

# .shellfirm.yaml
policies:
  - check_id: git:force_push
    severity: Critical  # Escalate for this project

It Works For Humans Too

shellfirm isn't just for AI agents. Install it in your shell and it protects you the same way — with interactive challenges (solve a math problem to confirm you really meant to rm -rf):

# Add to your shell
shellfirm init bash >> ~/.bashrc  # or zsh, fish, etc.

One tool protects both you and your AI agents.

Why This Matters Now

AI coding agents are becoming the default way we write software. Claude Code, Cursor, Windsurf — they all execute shell commands autonomously. The productivity gains are massive, but so is the blast radius when something goes wrong.

A single bad command can:

Delete your uncommitted work
Force push over your team's changes
Drop a production database
Terminate cloud infrastructure
Corrupt your git history

shellfirm is the seatbelt for this new world. You don't think about it until you need it — and when you need it, you're very glad it's there.

Get Started

npm install -g @shellfirm/cli
shellfirm connect claude-code

Two commands. Zero configuration required. 100+ dangerous patterns blocked.

GitHub: github.com/kaplanelad/shellfirm
Star the repo if this saved you from a future disaster

shellfirm is open source and free. Contributions welcome — especially new check patterns for tools your team uses.

loco-rs: releasing a framework inspired by Rails on Rust

elad — Sun, 17 Dec 2023 09:34:19 +0000

We've just released an initial version of Loco, a Rails inspired framework for Rust. Looking to get feedback, ideas, and contributions! (also, feel free to AMA here)

Website: https://loco.rs/
Github: https://github.com/loco-rs/loco

Secure you shell commands history

elad — Sun, 17 Jul 2022 12:28:57 +0000

Secrets can be everywhere, even in your shell history commands.
I created a small tool that detects and clean those commands from your history. You can even stash your history commands before you share your screen and pop the history when you finish.

Appreciate your feedback
https://github.com/rusty-ferris-club/shellclear

Opppsss you did it again?

elad — Wed, 12 Jan 2022 14:46:13 +0000

Hey all,

Did you ever run a command by mistake?

delete a folder recursively?
git reset --hard and remove all your work?
Or any command that you can think of as risky.

Shellfirm is a handy utility to help avoid running dangerous commands with an extra approval step.

See more on GitHub page:
https://github.com/kaplanelad/shellfirm

DEV Community: elad