The latest articles on DEV Community by Krishna (@krishna_newark). https://dev.to/krishna_newark https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3649592%2F63f58bf4-af5d-4134-8972-e992c99ba08f.jpg https://dev.to/krishna_newark en Krishna Sat, 06 Dec 2025 19:57:51 +0000 https://dev.to/krishna_newark/ai-coding-agents-can-run-rm-rf-on-your-machine-heres-how-to-stop-them-32m https://dev.to/krishna_newark/ai-coding-agents-can-run-rm-rf-on-your-machine-heres-how-to-stop-them-32m <p>TLDR: use agentguard to block agents from running any command<br> . Installs with default rules that block most dangerous commands and scripts. </p> <p>GitHub - <a href="https://github.com/krishkumar/agentguard" rel="noopener noreferrer">https://github.com/krishkumar/agentguard</a></p> <p>Install - <code>npm install -g ai-agentguard</code></p> <h2> Motivations </h2> <p>AI coding agents are powerful — but with great power comes <code>rm -rf /</code></p> <p>I've been recommending tools like Claude Code and Cursor to junior devs and non-technical folks lately. These agents can execute shell commands autonomously, which is useful. But it also means a single hallucination could wipe their SSH keys, nuke a folder, or brick a meticulously created dev environment.</p> <p>Frontier models do come with guardrails, but I wanted control over project specific no-nos too. Like pushing to master or running that one script that drops the staging database.</p> <p>An LLM deciding whether a command is "safe" is probabilistic. I wanted something classical — a system where I define exactly what's allowed and what's blocked, with no ambiguity.</p> <p>I am a fan of simple systems that are super effective and git is one such. I took inspiration from gitignore. gitignore rules have simple pattern matching, one rule per line, easy for anyone to read and modify.</p> <h2> Solution </h2> <p>Agentguard intercepts shell commands before they execute and validates them against a simple rules file. If a command matches a block pattern, it is stopped. If it's allowed, it runs normally. </p> <p>Here's how it looks like in practice.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; run nuketown.sh ⏺ Bash(./nuketown.sh) ⎿ Error: PreToolUse:Bash hook error: [node ./dist/bin/claude-hook.js]: 🚫 AgentGuard BLOCKED: ./nuketown.sh Rule: *nuketown* Reason: Blocked by rule: *nuketown* </code></pre> </div> <h2> Rules file </h2> <p>You create a .agentguard file in your project root with patterns for commands you want to block<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># The obvious dangerous stuff !rm -rf / !rm -rf /* !mkfs* !dd if=* of=/dev/* # Don't let agents read my secrets !cat ~/.ssh/* !cat ~/.aws/* !cat */.env # Block that sketchy script I use for demos !*nuketown* </code></pre> </div> <h2> Claude Hooks </h2> <p>Claude Code has a hook system that lets you intercept tool calls before they run. AgentGuard registers a PreToolUse hook that receives every Bash command as JSON, validates it against your rules, and returns exit code 0 (allow) or 2 (block).</p> <p>I am hoping to add support for other agentic tools like Cursor, Codex, Windsurf and Kiro. The core rules engine validation is agent-agnostic, so adding new integrations is mostly about figuring out each tool's interception mechanisms. </p> <p>Check it out at <a href="https://github.com/krishkumar/agentguard" rel="noopener noreferrer">https://github.com/krishkumar/agentguard</a><br> Try it today with <code>npm install -g ai-agentguard</code></p> claude security agents coding