01block-dangerous-commands
Refuses rm -rf ~, fork bombs, curl | sh, dd to a raw disk, and the long tail of catastrophes that look harmless in a one-liner. Three tunable safety levels decide where the line sits.
Six small programs that watch what Claude Code is about to do — and step in. Block a destructive command. Refuse to read a secret. Stage and format an edit. Ping you on Slack. A few hundred lines each, exhaustively tested, ready to copy.
stdinOn every lifecycle event, Claude Code pipes a JSON payload — the tool, its input, the session — to your hook's standard input.
A few hundred lines in Node, Python, or shell. Inspect the payload, check it against your rules, and choose a verdict.
exit 0 or exit 20 lets the tool run. 2 blocks it and hands your message back to Claude as guidance.
Refuses rm -rf ~, fork bombs, curl | sh, dd to a raw disk, and the long tail of catastrophes that look harmless in a one-liner. Three tunable safety levels decide where the line sits.
Stops Claude from reading, editing, or quietly exfiltrating .env files, SSH keys, AWS credentials, kubeconfig — anything load-bearing. Catches the obvious paths and the clever ones: a cat piped to curl is still exfiltration.
Branch-aware guardrails: blocks commit, merge, rebase, reset and push while you're on main, plus destructive gh CLI calls like gh repo delete. Complements block-dangerous-commands rather than overlapping it.
After Claude edits or creates a file, runs git add on it — so git diff --cached becomes the canonical "what did the agent just do" view. One less accounting step in your loop.
Runs the right formatter on whatever Claude just wrote — ruff for Python, prettier for JS/TS/HTML/JSON/Markdown/YAML. The agent's output lands already clean, so diffs stay about logic, not whitespace.
Pings a Slack channel when Claude is stuck on a permission prompt or has gone idle waiting on you. Start a long agentic run, switch tabs, and trust you'll be pulled back when it actually needs a human.
+ event-logger — a Python diagnostic that dumps every event's JSON so you can see an event's shape before you write a hook against it. The thing you reach for first.
Anywhere your shell can chmod +x. Convention is ~/.claude/hooks/.
$ mkdir -p ~/.claude/hooks $ cp hook-scripts/pre-tool-use/block-dangerous-commands.js \ ~/.claude/hooks/
In .claude/settings.json, bind the hook to an event and matcher.
{
"hooks": {
"PreToolUse": [{
"matcher": "Bash",
"hooks": [{
"type": "command",
"command": "node ~/.claude/hooks/block-dangerous-commands.js"
}]
}]
}
}
The hook is live. Ask Claude to do something reckless and watch it refuse.
$ claude › please rm -rf ~ … hook blocked: deletes home directory.
Six tested guardrails, MIT licensed, no framework to learn. Copy one and restart Claude Code — you're protected in under a minute.