molecule-ai/molecule-ai-plugin-molecule-careful-bash

Go to file

Molecule AI Plugin-Dev 70a7acda2a All checks were successful CI / validate (push) Successful in 57s Details CI / validate (pull_request) Successful in 1m14s Details security: block token exfiltration patterns (OFFSEC-002) (#3 ) [sdk-lead-agent] P0 security: blocks LLM-prompt-injection token exfil — token file reads (.gh_token, .auth_token, .git-credentials-cache), env\|grep secrets, curl/wget credential redirects. Also fixes latent bug where rm -rf .git guard used substring match that never fired (now regex). 210 lines of unit tests, CI green on push+PR. Followup needed: gitignore __pycache__/. Approved + merged. Co-authored-by: Molecule AI Plugin-Dev <plugin-dev@agents.moleculesai.app> Co-committed-by: Molecule AI Plugin-Dev <plugin-dev@agents.moleculesai.app>		2026-05-10 09:18:41 +00:00
.github/workflows	fix(ci): lowercase 'molecule-ai/' in cross-repo workflow refs	2026-05-07 00:59:12 -07:00
.molecule-ci/scripts	security: block token exfiltration patterns (OFFSEC-002) (#3 )	2026-05-10 09:18:41 +00:00
adapters	import from local vendored copy (2026-05-06)	2026-05-06 13:53:24 -07:00
hooks	security: block token exfiltration patterns (OFFSEC-002) (#3 )	2026-05-10 09:18:41 +00:00
runbooks	docs(install): migrate git clone URL to git.moleculesai.app (#37 )	2026-05-06 23:56:06 -07:00
skills/careful-mode	import from local vendored copy (2026-05-06)	2026-05-06 13:53:24 -07:00
tests	security: block token exfiltration patterns (OFFSEC-002) (#3 )	2026-05-10 09:18:41 +00:00
.gitignore	import from local vendored copy (2026-05-06)	2026-05-06 13:53:24 -07:00
CLAUDE.md	docs(install): migrate git clone URL to git.moleculesai.app (#37 )	2026-05-06 23:56:06 -07:00
known-issues.md	security: block token exfiltration patterns (OFFSEC-002) (#3 )	2026-05-10 09:18:41 +00:00
plugin.yaml	import from local vendored copy (2026-05-06)	2026-05-06 13:53:24 -07:00
pytest.ini	security: block token exfiltration patterns (OFFSEC-002) (#3 )	2026-05-10 09:18:41 +00:00
README.md	docs: write substantive README.md	2026-05-10 08:33:46 +00:00
settings-fragment.json	import from local vendored copy (2026-05-06)	2026-05-06 13:53:24 -07:00

README.md

molecule-careful-bash

Refuses destructive bash commands before they execute. Blocks commands that match a dangerous-pattern list — including git push --force to protected branches, rm -rf at root, and SQL DROP against production-like targets.

How it works

The PreToolUse:Bash hook matches the command string against a deny-list. Matches block execution and surface a reason. Safe commands pass through unchanged.

Denied patterns

Pattern	Reason
`git push --force` to `main`/`master`/`production`	Irreversible history rewrite
`rm -rf /` or `rm -rf /*`	Complete filesystem deletion
`DROP DATABASE`, `DROP TABLE prod.*`	Irreversible data destruction
`shutdown`, `halt`, `init 0`	Host shutdown

Custom patterns can be added via settings-fragment.json.

Install

In org template (org.yaml)

plugins:
  - molecule-careful-bash

From URL (community install)

github://Molecule-AI/molecule-ai-plugin-molecule-careful-bash

Usage

No configuration needed. Install and the hook is active. To bypass for a specific command, disable the plugin temporarily via workspace settings.

Settings

Setting	Type	Description
`extra_refuse_patterns`	string[]	Additional command patterns to block
`mode`	`refuse` \| `warn`	Block or warn (default: refuse)

Hooks

PreToolUse:Bash — matches command against deny-list, blocks or warns

Architecture

hooks/
  pre-bash-careful.py   # Pattern matching, deny_pretooluse
  pre-bash-careful.sh    # Shell wrapper
  _lib.py                # Shared helpers
adapters/
  claude_code.py         # Registers hook
skills/
  careful-mode/          # Skill for managing patterns at runtime
settings-fragment.json   # Declares PreToolUse:Bash hook binding