AI coding agents can run rm -rf / on your machine. Here's how to stop them
Source: Dev.to
Motivations
AI coding agents are powerful — but with great power comes rm -rf /.
I’ve been recommending tools like Claude Code and Cursor to junior devs and non‑technical folks lately. These agents can execute shell commands autonomously, which is useful. But it also means a single hallucination could wipe their SSH keys, nuke a folder, or brick a meticulously created dev environment.
Frontier models do come with guardrails, but I wanted control over project‑specific no‑nos too, such as pushing to master or running a script that drops the staging database.
An LLM deciding whether a command is “safe” is probabilistic. I wanted something classical — a system where I define exactly what’s allowed and what’s blocked, with no ambiguity.
I am a fan of simple systems that are super effective, and git is one such. I took inspiration from .gitignore. .gitignore rules have simple pattern matching, one rule per line, easy for anyone to read and modify.
Solution
AgentGuard intercepts shell commands before they execute and validates them against a simple rules file. If a command matches a block pattern, it is stopped; otherwise, it runs normally.
Example
> run nuketown.sh
⏺ Bash(./nuketown.sh)
⎿ Error: PreToolUse:Bash hook error: [node ./dist/bin/claude-hook.js]: 🚫
AgentGuard BLOCKED: ./nuketown.sh
Rule: *nuketown*
Reason: Blocked by rule: *nuketown*Rules file
Create a .agentguard file in your project root with patterns for commands you want to block:
# The obvious dangerous stuff
!rm -rf /
!rm -rf /*
!mkfs*
!dd if=* of=/dev/*
# Don't let agents read my secrets
!cat ~/.ssh/*
!cat ~/.aws/*
!cat */.env
# Block that sketchy script I use for demos
!*nuketown*Claude Hooks
Claude Code has a hook system that lets you intercept tool calls before they run. AgentGuard registers a PreToolUse hook that receives every Bash command as JSON, validates it against your rules, and returns exit code 0 (allow) or 2 (block).
I am hoping to add support for other agentic tools like Cursor, Codex, Windsurf, and Kiro. The core rules‑engine validation is agent‑agnostic, so adding new integrations is mostly about figuring out each tool’s interception mechanisms.
Check it out at .
Try it today with:
npm install -g ai-agentguard