alt Hacker NewsShow HN: A Claude Code plugin that catch destructive Git and filesystem commands
Comments
This sure looks similar to something I posted on X 2 weeks ago:
https://github.com/Dicklesworthstone/misc_coding_agent_tips_...
You be the judge:
I am using something like this on Linux:
bwrap --ro-bind /{,} --dev /dev --proc /proc --tmpfs /run --tmpfs /tmp --tmpfs /var/tmp --tmpfs ${HOME} --ro-bind ${HOME}/.nix-profile{,} --unshare-all --die-with-parent --tmpfs ${XDG_RUNTIME_DIR} --ro-bind /run/systemd/resolve/stub-resolv.conf{,} --share-net --bind ${HOME}/.config/claude-code{,} --overlay-src ${HOME}/.cache/go --tmp-overlay ${HOME}/.cache/go --bind ${PWD}{,} --ro-bind ${PWD}/.git{,} -- env SHELL=/bin/bash CLAUDE_CONFIG_DIR=${HOME}/.config/claude-code =claudeJust put it in a container. I use bash aliases like this to start a throwaway container with bind mounted cwd, works like a charm with rootless podman. I also learned to run npm and other shady tools in this way and stopped worrying about supply chain attacks.
alias dr='docker run --rm -it -v "$PWD:$PWD" -w "$PWD"'
alias dr-claude='dr -v ~/.claude:/root/.claude -v ~/.claude.json:/root/.claude.json claude'Someone should write a version of this that uses AI to detect whether the command that the AI wants to run is dangerous. Certainly that seems like the current trend in software "engineering".
I’ve been working on a different approach to this problem: syscall-level interception via PyPy sandbox rather than command filtering. This captures all operations at the OS level, so tmp.sh scripts and Makefile edits get queued for human review before executing.
It’s still WIP but the core sandbox works. Feedback greatly appreciated: https://github.com/corv89/shannot
Sure, but I've written +150K lines of AI generated code myself and never seen it do a destructive command. Pretty much Cursor non-stop and my own agent before that.
I always run my agents in a container with the source code directory mounted. That way I can reasonably be confident I may let it work without fearing destructive actions to my system. And I'm a git reset away to restore source code.
You should probably rely less on AI. If your first thought is "I need to delete some directories" and your immediate next thought is "I'd better ask an AI agent to do this for me", you are definitely exhibiting skill entropy.
I am always surprised at how quick Claude will ask to run git filter-branch vs doing the same operation safely via an extra command or two.
Two MCP tools back to back on the HN frontpage when seemingly dozens of them doing the same functionality already exist. Both posts written by AI with the typical tells. Daring today aren't we?
Jesus.
Just containerize Claude.
How is this not common practice already?
Are people really ok with a third party agent running out of their home directory executing arbitrary commands on their behalf?
Pure insanity.
Switching to plan mode for everything before the application step seems to avoid the problem.
The problem seems to come when it’s stuck in a debug death loop with full permissions.
In my opinion this is a solution at the wrong layer. It's working by trying to filter executed commands, but it doesn't work in many cases (even in 'strict mode'), and there's better, more complete, solutions.
What do I mean by "it doesn't work"? Well, claude code is really good at executing things in unusual ways when it needs to, and this is trying to parse shell to catch them.
When claude code has trouble running a bash command, it sometimes will say something like "The current environment is wonky, let's put it in a file and run that", and then use the edit tool to create 'tmp.sh' and then 'bash tmp.sh'. Which this plugin would allow, but would obviously let claude run anything.
I've also had claude reach for awk '{system(...)}', which this plugin doesn't prevent, among some others. A blacklist of "unix commands which can execute arbitrary code" is doomed to failure because there's just so many ways out there to do so.
Preventing destructive operations, like `rm -rf ~/`, is much more easily handled by running the agent in a container with only the code mounted into it, and then frequently committing changes and pushing them out of the container so that the agent can't delete its work history either.
Half-measures, like trying to parse shell commands and flags, is just going to lead to the agent hitting a wall and looping into doing weird things (leading to it being more likely to really screw things up), as opposed to something like containers or VMs which are easy to use and actually work.