I can't write code.
That's not a metaphor or false modesty. I'm a non-engineer who started using Claude Code about three months ago. I've shipped a game, published 30+ technical articles, and built a multi-agent system that keeps working while I sleep - and I haven't typed a single line of code myself.
Which means I had a problem.
When you can't read what's running, you can't tell if it's safe.
The Incident That Started All This
One afternoon I was watching Claude Code work through a refactoring task. It had been running autonomously for about 40 minutes. Then I saw it: rm -rf ./backup.
The command ran. The backup directory was gone.
It wasn't catastrophic - the files were recoverable from git. But I sat there realizing something uncomfortable: I had been running this system for weeks without ever thinking about what it was allowed to do. No dangerous command protection. No gate on external actions. No session checkpoint if things crashed.
I'd set up a lot of things. But I had no idea what I was missing.
The Problem With "I Think It's Fine"
When you're not an engineer, there's a particular kind of risk that's easy to miss.
You know the things you set up. You don't know the things you didn't set up - because you didn't know they existed.
I had a CLAUDE.md. I had some hooks. I had the basics. But I didn't have:
- A hook that intercepts
git reset --hardbefore it runs - Any record of what external actions the agent had taken
- A way to save session state before context ran out
These aren't edge cases. They're things that will eventually happen in any long-running autonomous session. I just didn't know enough to know I needed them.
I needed something that could look at my setup and tell me: here's what you're missing, and here's how bad it is.
Building the Diagnostic
The diagnostic checks 10 criteria, each weighted by how much damage the missing item can cause:
| # | What It Checks | Points | What Can Go Wrong |
|---|---|---|---|
| 1 |
CLAUDE.md exists |
2 | No persistent instructions - every session starts from scratch |
| 2 | Hooks directory is configured | 2 | No event-driven safety checks at all |
| 3 | Dangerous command protection | 3 |
rm -rf, git reset --hard, git clean -fd run without warning |
| 4 | Git auto-backup hook | 2 | No automatic branch before risky changes - recovery from reflog only |
| 5 | Session state saving | 1 | Context runs out, all progress lost, no handoff notes |
| 6 | External action gate | 2 | Agent can publish, push, or call APIs without review |
| 7 | Error tracking | 1 | Failures are fixed with band-aids, root cause never recorded |
| 8 | Secrets excluded in .gitignore
|
2 | One git push from public .env or credentials |
| 9 |
settings.json configured |
1 | Default permissive behavior instead of explicit permission model |
| 10 | No risky operations in git reflog | 3 |
reset --hard or clean -fd in history means it already happened once |
Total possible score: 19 points. Higher score = higher risk.
The 3-point items are weighted highest because they're the ones that cause data loss with no warning. A missing .gitignore entry is bad. An agent that can run rm -rf on your project directory is worse.
What a Clean Install Actually Scores
I ran the diagnostic on a fresh Claude Code environment - the kind of setup you'd have after following the official documentation, with nothing extra installed.
Claude Code Risk Score
Scanning: /home/user/project
? No CLAUDE.md found (+2)
? No hooks directory or empty (+2)
? Dangerous command protection hook (+3)
? Git auto-backup hook (+2)
? Session state saving (+1)
? External action gate (+2)
? Error tracking (+1)
? No secret patterns in .gitignore (+2)
? No settings.json found (+1)
? No risky operations in git reflog
Risk Score: 16/19 (CRITICAL)
16/19. Nine out of ten checks failed. The only thing that passed was "no risky operations in git history" - because nothing had happened yet.
This is what most Claude Code users are running on.
What Running --fix Does
The diagnostic has a --fix flag that installs 4 free safety hooks from the claude-code-ops-starter repository. It clones the repo to a temp directory, runs the install script, then rescans.
curl -sL https://gist.githubusercontent.com/yurukusa/10c76edee0072e2f08500dd43da30bc3/raw/risk-score.sh | bash -s -- --fix
After running it:
Re-scanning...
? CLAUDE.md found
? Hooks directory has files
? Dangerous command protection hook
? Git auto-backup hook (+2)
? Session state saving (+1)
? External action gate (+2)
? Error tracking (+1)
? Secrets excluded in .gitignore
? Claude Code settings.json exists
? No risky operations in git reflog
Risk Score: 7/19 (HIGH)
Improved by 9 points.
Before: 16/19 (CRITICAL)
After: 7/19 (HIGH)
9-point improvement. CRITICAL ? HIGH. Still four red items, but they're the harder ones: git backup, session state, external gate, error tracking. These require more than a single hook file.
One thing the fix mode guarantees: it never overwrites existing files. If you already have hooks, it doesn't touch them.
The Gap Between HIGH and LOW
That remaining 7-point gap is where the interesting stuff lives.
Git auto-backup (+2): A PreToolUse hook that creates a timestamped backup branch before any risky write operation. Sounds simple. In practice, it involves detecting which operations count as "risky" - file deletions, mass edits, git history rewrites.
External action gate (+2): Every time the agent tries to push code, post to an API, or publish content, this hook logs the action and optionally requires acknowledgment. This is the one that would have caught the incident I described earlier - not the rm -rf (that's dangerous command protection), but the class of "actions that affect the world outside your local environment."
Session state saving (+1): A Stop hook that captures a summary of what was in progress when the session ended - current task, open files, next action, waiting state. Without this, a context-exhaustion crash means starting from scratch.
Error tracking (+1): A PostToolUse hook that checks for error patterns in command output, logs them with context, and writes a root-cause note. The difference between "we fixed this bug" and "we fixed this bug, and here's why it happened."
These four, plus the free hooks, plus the manual items (.gitignore patterns, settings.json permissions, git reflog cleanup) are what get you from HIGH to LOW.
Why Non-Engineers Are at Higher Risk
This matters more, not less, if you can't read the code your AI is writing.
An engineer reviewing Claude Code's output can catch "wait, why is it running git reset --hard here?" before it happens. A non-engineer often can't. You're trusting the agent's judgment more completely, which means the guardrails have to be set up more carefully.
The 10-item diagnostic doesn't require you to understand every hook implementation. It tells you what's present and what's missing. The --fix mode installs the critical ones automatically. The rest of the kit handles the harder items.
The scan is the thing a non-engineer doesn't know to ask for, but needs most.
Run It Yourself
Scan only (read-only, no changes):
curl -sL https://gist.githubusercontent.com/yurukusa/10c76edee0072e2f08500dd43da30bc3/raw/risk-score.sh | bash
Scan and fix (installs 4 free hooks, never overwrites existing files):
curl -sL https://gist.githubusercontent.com/yurukusa/10c76edee0072e2f08500dd43da30bc3/raw/risk-score.sh | bash -s -- --fix
Nothing is installed by the scan. No data is sent anywhere. Full source code is on GitHub.
It takes about 10 seconds. If your score is 0, you're set. If it's not - now you know exactly what to fix, and what each item costs you if you don't.
What Comes After the Free Hooks
The free hooks handle the critical items - dangerous command protection, basic session setup, .gitignore hygiene. They're the floor, not the ceiling.
For extended autonomous sessions - multiple agents running in parallel, operations that span hours while you're away - the gaps in HIGH ? LOW territory matter more. That's what the CC-Codex Ops Kit covers: multi-agent relay, stall detection, watchdog processes, task queue policy, and the full implementation of the four remaining checks ($14.99).
But the diagnostic itself is free. Start by knowing your score.
Try the scanner:
No install: Web version - paste your hooks config or CLAUDE.md directly in the browser. Read-only, nothing installed, zero setup.
Or run locally:
curl -sL https://gist.githubusercontent.com/yurukusa/10c76edee0072e2f08500dd43da30bc3/raw/risk-score.sh | bash
Source: github.com/yurukusa/claude-code-ops-starter
Related reading:
- 4 Hooks That Let Claude Code Run Autonomously - The free hook set in detail
- Why Your AI Agent Needs a Quality Gate - Beyond safety, into quality control
More tools: Dev Toolkit - 56 free browser-based tools for developers. JSON, regex, colors, CSS, SQL, and more. All single HTML files, no signup.
Top comments (0)