Pre-Execution Safety Check

Before executing any shell command, evaluate it against the risk categories below. This check runs silently — only surface it to the user when a risk is detected.

Risk Categories

CRITICAL — Block and warn. Never proceed without explicit user confirmation.

Destructive file operations:

• rm -rf on any path outside a known temp/build directory
• rm -rf /, rm -rf ~, rm -rf . (catastrophic)
• Recursive delete on paths containing ..
• > filename (truncating files) on non-build artifacts

Irreversible git operations:

• git push --force or git push -f to main, master, or production
• git reset --hard when there are uncommitted changes
• git clean -fd or git clean -fdx (deletes untracked files)
• git branch -D on branches with unmerged commits
• git rebase on already-pushed commits

Database destruction:

• DROP TABLE, DROP DATABASE, TRUNCATE TABLE without a WHERE or in production
• DELETE FROM without a WHERE clause
• Migration rollbacks in production

Process/system operations:

• kill -9 on PIDs that aren't child processes of the current session
• pkill or killall on broad patterns
• chmod -R 777 or chmod -R 000
• chown -R on system directories
• Writing to /etc/, /usr/, or other system paths

Secret exposure:

• echo $API_KEY, cat .env, printenv piped to files or network
• Any command that would print secrets to stdout in a logged session
• curl or wget with credentials in the URL

HIGH — Warn user, explain the risk, suggest safer alternative.

Risky git operations:

• git push --force to any branch (suggest --force-with-lease)
• git reset --hard (suggest git stash first)
• git checkout -- . or git restore . (discards all changes)
• Amending commits that have been pushed

Package management:

• npm publish (publicly publishing a package)
• pip install from URL or --extra-index-url (supply chain risk)
• Removing lockfiles (rm package-lock.json, rm poetry.lock)

Infrastructure:

• kubectl delete on production namespaces
• terraform destroy
• docker system prune -a (removes all images)

Network:

• curl -X POST to external URLs with body containing local data
• scp or rsync to unfamiliar hosts
• ssh to production servers

MEDIUM — Note the risk in passing. Proceed unless the context is unusual.

• Installing global packages (npm install -g, pip install --user)
• Running sudo commands
• Modifying dotfiles (.bashrc, .zshrc, .gitconfig)
• Creating world-readable files in shared directories

Behavior

When a command matches a risk pattern:

1. CRITICAL: Stop. Tell the user: "This command [specific description] is destructive/irreversible. [Explain what could go wrong]. Do you want to proceed?"
2. HIGH: Warn: "Heads up — [command] carries risk because [reason]. Safer alternative: [suggestion]. Proceeding unless you object."
3. MEDIUM: Brief note only if the broader context makes it concerning.

When no risk is detected, proceed normally — do not mention this check.

Anti-Patterns to Avoid

• Do NOT warn about every rm command. rm file.txt on a known temp file is fine.
• Do NOT block normal development workflows. git push to a feature branch is fine.
• Do NOT add friction to routine operations. The goal is catching genuine mistakes, not slowing down the user.
• Do NOT be paranoid about curl for fetching docs or APIs. Only flag when local data is being sent.

Context Awareness

Use available context to reduce false positives:

• If in a git repo, check if the branch has been pushed before warning about force-push
• If a file was just created by the agent, deleting it is lower risk
• If running inside a Docker container or CI, destructive commands are lower risk
• git status output tells you if there are uncommitted changes worth protecting