VibeSec 安全审查
安全意识检查:部署前安全审查、权限确认、风险识别
安全意识检查:部署前安全审查、权限确认、风险识别
安全意识检查:部署前安全审查、权限确认、风险识别
/careful — Destructive Command Guardrails
Safety mode is now active. Every bash command will be checked for destructive
patterns before running. If a destructive command is detected, you'll be warned
and can choose to proceed or cancel.
mkdir -p ~/.gstack/analytics
echo '{"skill":"careful","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}' >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
What's protected
| Pattern | Example | Risk |
| `rm -rf` / `rm -r` / `rm --recursive` | `rm -rf /var/data` | Recursive delete |
| `DROP TABLE` / `DROP DATABASE` | `DROP TABLE users;` | Data loss |
| `TRUNCATE` | `TRUNCATE orders;` | Data loss |
| `git push --force` / `-f` | `git push -f origin main` | History rewrite |
| `git reset --hard` | `git reset --hard HEAD~3` | Uncommitted work loss |
| `git checkout .` / `git restore .` | `git checkout .` | Uncommitted work loss |
| `kubectl delete` | `kubectl delete pod` | Production impact |
| `docker rm -f` / `docker system prune` | `docker system prune -a` | Container/image loss |
Safe exceptions
These patterns are allowed without warning:
rm -rf node_modules / .next / dist / __pycache__ / .cache / build / .turbo / coverage
工作原理
The hook reads the command from the tool input JSON, checks it against the
patterns above, and returns permissionDecision: "ask" with a warning message
if a match is found. You can always override the warning and proceed.
To deactivate, end the conversation or start a new one. Hooks are session-scoped.
评论区