rtk-ai/rtk

feat(hooks): dangerous-actions-blocker — PreToolUse hook for blocking destructive CLI ops

Open

#1,007 创建于 2026年4月3日

在 GitHub 查看
 (1 评论) (0 反应) (0 负责人)Rust (2,914 fork)batch import
area:cliarea:securityeffort-mediumenhancementhelp wantedpriority:medium

仓库指标

Star
 (48,085 star)
PR 合并指标
 (平均合并 11天 1小时) (30 天内合并 45 个 PR)

描述

Proposal

A ready-to-use PreToolUse Bash hook that intercepts dangerous commands before execution in Claude Code (and compatible AI agents). Shipped as a file in hooks/claude/ that users can copy into their .claude/hooks/ config.

What it blocks/asks

Category Action Decision
Files rm -rf /, rm -rf ~, rm -rf .. 🚫 block
Files rm -rf <other> (except safe dirs like node_modules, dist, .next) ⚠️ ask
Git git push --force (but allows --force-with-lease) 🚫 block
Git git push -f 🚫 block
Git git reset --hard, git clean -f, git checkout -- ., git branch -D ⚠️ ask
Secrets cat .env, echo $ANTHROPIC_API_KEY=..., reading .pem/.key files 🚫 block
Database DROP TABLE, TRUNCATE, DELETE FROM x; 🚫 block
Docker docker system prune -a, mass docker rm -f ⚠️ ask

Container-aware

Commands inside docker exec / kubectl exec skip host-path safety checks (paths resolve inside the container, not the host).

Integration

// .claude/settings.json
{
  "hooks": {
    "PreToolUse": [
      { "matcher": "Bash", "hooks": ["bash hooks/claude/dangerous-actions-blocker.sh"] }
    ]
  }
}

Questions for the team

  1. Is this in scope for RTK? Or does it belong in a separate repo / community hooks collection?
  2. Overlap with existing features? Does RTK already plan a built-in safety layer (e.g., via the rewrite hook or TOML filters)?
  3. Regex vs structured parsing? Current approach uses grep -qE on the raw command string — works but can false-positive on edge cases. Would a Rust-based approach be preferred?
  4. Default decisions — should rm -rf outside safe dirs be block or ask?

Happy to implement whichever direction you prefer. I have a working prototype ready to go once we align on scope.

贡献者指南