DEV Community

Krishna
Krishna

Posted on

AI coding agents can run rm -rf / on your machine. Here's how to stop them

#claude #security #agents #coding

Motivations

AI coding agents are powerful — but with great power comes rm -rf /

I've been recommending tools like Claude Code and Cursor to junior devs and non-technical folks lately. These agents can execute shell commands autonomously, which is useful. But it also means a single hallucination could wipe their SSH keys, nuke a folder, or brick a meticulously created dev environment.

Frontier models do come with guardrails, but I wanted control over project specific no-nos too. Like pushing to master or running that one script that drops the staging database.

An LLM deciding whether a command is "safe" is probabilistic. I wanted something classical — a system where I define exactly what's allowed and what's blocked, with no ambiguity.

I am a fan of simple systems that are super effective and git is one such. I took inspiration from gitignore. gitignore rules have simple pattern matching, one rule per line, easy for anyone to read and modify.

Solution

Agentguard intercepts shell commands before they execute and validates them against a simple rules file. If a command matches a block pattern, it is stopped. If it's allowed, it runs normally.

Here's how it looks like in practice.

> run nuketown.sh

⏺ Bash(./nuketown.sh)
  ⎿  Error: PreToolUse:Bash hook error: [node ./dist/bin/claude-hook.js]: 🚫
     AgentGuard BLOCKED: ./nuketown.sh
     Rule: *nuketown*
     Reason: Blocked by rule: *nuketown*
Enter fullscreen mode Exit fullscreen mode

Rules file

You create a .agentguard file in your project root with patterns for commands you want to block

# The obvious dangerous stuff
!rm -rf /
!rm -rf /*
!mkfs*
!dd if=* of=/dev/*

# Don't let agents read my secrets
!cat ~/.ssh/*
!cat ~/.aws/*
!cat */.env

# Block that sketchy script I use for demos
!*nuketown*
Enter fullscreen mode Exit fullscreen mode

Claude Hooks

Claude Code has a hook system that lets you intercept tool calls before they run. AgentGuard registers a PreToolUse hook that receives every Bash command as JSON, validates it against your rules, and returns exit code 0 (allow) or 2 (block).

I am hoping to add support for other agentic tools like Cursor, Codex, Windsurf and Kiro. The core rules engine validation is agent-agnostic, so adding new integrations is mostly about figuring out each tool's interception mechanisms.

Check it out at https://github.com/krishkumar/agentguard
Try it today with npm install -g ai-agentguard

Top comments (0)