molecule-ai/molecule-ai-plugin-molecule-careful-bash
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
molecule-ai-plugin-molecule.../skills/careful-mode/SKILL.md
Hongming Wang 9ddfb236ab
Some checks failed
CI / validate (push) Failing after 0s
Details
import from local vendored copy (2026-05-06)
2026-05-06 13:53:24 -07:00

3.1 KiB
Raw Permalink Blame History

name description
careful-mode Refuse or warn before destructive irreversible commands (rm -rf, force push, DROP TABLE, gh pr close, gh issue close, mass DELETE). Inspired by gstack's /careful and /freeze. Activate at the start of any cron tick or when about to write to shared resources.

careful-mode

Cron has merge authority + commit authority. That is enough rope to do permanent damage. This skill is the seatbelt.

Activate when

  • The hourly cron tick starts
  • About to call gh pr merge / gh pr close / gh issue close
  • About to push to a branch other than your own draft
  • About to run git push --force for any reason
  • About to run rm -rf on anything inside the repo
  • About to issue DROP TABLE / TRUNCATE / DELETE FROM ... WHERE without a known small WHERE

Categories

REFUSE — hard stop

  • git push --force to main, master, or any protected branch
  • gh pr merge on a PR that:
    • has CI failing
    • has state: draft
    • has unresolved review comments from a non-bot author
    • was created in the same conversation context (need 1 tick of distance)
  • git reset --hard against a branch that has commits I haven't seen pushed to a remote
  • rm -rf against any path matching **/migrations/**, .git/, ~/.molecule/, or repo root
  • DROP TABLE, TRUNCATE TABLE against any table in the molecule schema
  • DELETE FROM workspaces without a WHERE id = $known_uuid clause

WARN — proceed only with explicit confirmation in the prompt

  • gh pr close on a PR not authored by me
  • gh issue close on any issue
  • git push --force-with-lease (safer than --force, still requires care)
  • rm -rf node_modules / dist / (safe, but worth a one-line "yes I meant this")
  • chmod -R on anything outside the current PR's diff
  • Mass curl-DELETE loops over /workspaces (the cleanup-rogue-workspaces.sh pattern is OK but document the prefix)

ALLOW

  • Anything against /tmp/, the agent's own scratch dir, or test artifacts
  • Reads of any kind
  • Standard merges via gh pr merge --merge --delete-branch once the gates pass
  • Single-row updates / deletes with explicit WHERE on a known-uuid

Freeze mode

When debugging a tricky issue, lock edits to one directory. Example invocation:

careful-mode freeze platform/internal/handlers/
# now any Edit/Write outside that path refuses
careful-mode unfreeze

This is conceptually like gstack's /freeze — prevents accidental scope creep when an agent is spelunking.

How to honor this skill

The skill is enforced by the AGENT, not by the harness. When making a tool call that lands in the REFUSE / WARN list, the agent must:

  1. Stop
  2. State the exact command + which list it falls under
  3. Explain why this case is or isn't safe
  4. For WARN, ask for explicit user confirmation
  5. For REFUSE, decline and propose a safer alternative

Why this exists

The cron has merge authority. gstack documented several near-misses where Claude wiped working directories or force-pushed to main. We avoid those by making the rules explicit and machine-readable, applied at the start of every tick.