We gave AI agents the keys to our terminal. It was only a matter of time before one tried to burn the house down.
The Problem Nobody Talks About
Claude Code is incredible. You describe what you want, and it writes code, runs tests, manages git — all autonomously. But here's the thing: every Bash command it runs has the same permissions as you.
That means when Claude Code decides to "clean up" your project, it can run:
rm -rf .
When it tries to fix a git issue, it might run:
git push --force origin main
When it's debugging a database migration:
DROP DATABASE production;
These aren't hypothetical. AI agents make mistakes. They hallucinate commands. They misinterpret context. And unlike a human who pauses before hitting Enter on something dangerous, an AI agent just executes.
Claude Code Hooks: The Interception Point
Claude Code introduced hooks — a mechanism that lets you run custom commands before a tool executes. The PreToolUse hook fires before every Bash command, giving you a chance to inspect and block it.
The hook protocol is simple:
- Claude Code is about to run a Bash command
- It sends the command as JSON to your hook via stdin
- Your hook returns a JSON response with
"permissionDecision": "allow"or"deny" - Claude Code respects the decision
This is powerful, but building your own safety rules from scratch means maintaining regex patterns, tracking edge cases, and covering dozens of dangerous command families. That's a full-time job.
Enter shellfirm: 100+ Safety Rules, One Command to Install
shellfirm is an open-source tool that intercepts dangerous shell commands before they execute. It ships with 100+ built-in patterns covering 9 ecosystems — filesystem, git, Kubernetes, Terraform, AWS, databases, Docker, and more.
Setup takes 30 seconds:
# Install shellfirm
npm install -g @shellfirm/cli
# Connect to Claude Code (installs hooks + MCP server automatically)
shellfirm connect claude-code
That's it. shellfirm is now watching every command Claude Code runs.
What happens under the hood
When Claude Code tries to run git push --force origin main, here's the flow:
Claude Code: "I'll fix this by force pushing"
|
v
PreToolUse Hook fires
|
v
shellfirm check --stdin --format json --exit-code
|
v
+-------------------------------------+
| Pattern matched: git:force_push |
| Severity: HIGH |
| Blast radius: RESOURCE |
| Decision: DENY |
| |
| Alternative: git push |
| --force-with-lease |
| (checks remote is up-to-date) |
+-------------------------------------+
|
v
Claude Code: blocked. Uses safer alternative instead.
The command never executes. Claude Code receives the denial with a suggested alternative, and adapts.
Real Patterns shellfirm Catches
Here's a sample of what shellfirm blocks out of the box:
| Category | Dangerous Command | What shellfirm Suggests |
|---|---|---|
| Filesystem | rm -rf / |
Scoped deletion with explicit path |
| Git | git push --force |
git push --force-with-lease |
| Git | git reset --hard |
git stash before reset |
| Kubernetes | kubectl delete namespace |
Add --dry-run first |
| Terraform | terraform destroy |
terraform plan -destroy to review |
| Database | DROP DATABASE |
Backup first, use IF EXISTS
|
| Docker | docker system prune -af |
Remove --all flag |
| AWS | aws ec2 terminate-instances |
Verify instance ID carefully |
Each pattern includes severity levels (Low, Medium, High, Critical) and blast radius detection (Project, Resource, or Machine-wide).
The MCP Server: Teaching Claude to Ask Before Acting
shellfirm doesn't just block commands — it also installs an MCP (Model Context Protocol) server that gives Claude Code on-demand safety tools:
-
check_command— "Is this command safe to run?" -
explain_risk— "What could go wrong with this command?" -
suggest_alternative— "What's a safer way to do this?" -
get_policy— "What are the current safety rules?"
This means Claude Code can proactively check commands before attempting them, rather than getting blocked and retrying. It learns to work with the safety rules.
Configure It Your Way
shellfirm is fully customizable. Want to be strict about git but relaxed about filesystem operations? Easy:
# ~/.shellfirm/settings.yaml
enabled_groups:
- git
- git-strict
- kubernetes
- terraform
- database
agent:
auto_deny_severity: High # Block High and Critical severity
Need project-specific rules? Drop a .shellfirm.yaml in your repo:
# .shellfirm.yaml
policies:
- check_id: git:force_push
severity: Critical # Escalate for this project
It Works For Humans Too
shellfirm isn't just for AI agents. Install it in your shell and it protects you the same way — with interactive challenges (solve a math problem to confirm you really meant to rm -rf):
# Add to your shell
shellfirm init bash >> ~/.bashrc # or zsh, fish, etc.
One tool protects both you and your AI agents.
Why This Matters Now
AI coding agents are becoming the default way we write software. Claude Code, Cursor, Windsurf — they all execute shell commands autonomously. The productivity gains are massive, but so is the blast radius when something goes wrong.
A single bad command can:
- Delete your uncommitted work
- Force push over your team's changes
- Drop a production database
- Terminate cloud infrastructure
- Corrupt your git history
shellfirm is the seatbelt for this new world. You don't think about it until you need it — and when you need it, you're very glad it's there.
Get Started
npm install -g @shellfirm/cli
shellfirm connect claude-code
Two commands. Zero configuration required. 100+ dangerous patterns blocked.
- GitHub: github.com/kaplanelad/shellfirm
- Star the repo if this saved you from a future disaster
shellfirm is open source and free. Contributions welcome — especially new check patterns for tools your team uses.
Top comments (0)