# git-guardrails-claude-code > A Claude Code skill from Matt Pocock's skills repo that scaffolds a PreToolUse hook to intercept and block dangerous git commands — git push, reset --hard, clean -f, branch -D, checkout/restore . — before they execute, with an explicit refusal message returned to the agent. **Use case**: Hook-block destructive git operations before Claude Code runs them **Canonical URL**: https://agentcookbooks.com/skills/git-guardrails-claude-code/ **Topics**: claude-code, skills, hooks, git **Trigger phrases**: "block dangerous git commands in Claude Code", "set up git guardrails for Claude", "prevent git push and reset --hard" **Source**: [Matt Pocock](https://github.com/mattpocock/skills/tree/main/skills/misc/git-guardrails-claude-code) **License**: MIT --- ## What it does `git-guardrails-claude-code` is a Claude Code skill that installs a single PreToolUse hook on the `Bash` matcher. The hook reads the command line about to run, regex-matches a small set of destructive git operations, and exits non-zero with an explicit refusal message before the agent's Bash call executes. Out of the box it blocks: - `git push` (all variants, including `--force` and `--force-with-lease`) - `git reset --hard` - `git clean -f` / `git clean -fd` - `git branch -D` - `git checkout .` / `git restore .` When a blocked command fires, the agent sees a line saying it does not have authority for that command — which is enough for the model to back off and ask the human rather than retry with a variant. ## When to use it Reach for it when: - You let Claude Code work autonomously for more than a few minutes in a repo with un-pushed commits - The repo has a shared remote and a force-push or a wrong-branch push would create real cleanup work for someone else - You've already had one near-miss with `git reset --hard` or `git clean -f` clearing files you wanted to keep - You want a *belt-and-suspenders* layer on top of Claude Code's existing confirmation prompts (which the agent can sometimes route around with chained commands) When *not* to reach for it: - Throwaway/scratch repos where destructive ops are the point - CI/automation contexts where push/reset are the intended action (the hook would block legitimate work) ## Install The skill is distributed via Pocock's [skills repo](https://github.com/mattpocock/skills). Install via his recommended path (`npx skills add` or manual copy of the `SKILL.md` plus the bundled `scripts/block-dangerous-git.sh` into `.claude/skills/git-guardrails-claude-code/`) — see the repo README for canonical install instructions. The skill asks scope on first invocation: **project** (`.claude/settings.json` + `.claude/hooks/block-dangerous-git.sh`) or **global** (`~/.claude/settings.json` + `~/.claude/hooks/block-dangerous-git.sh`). The hook script is `chmod +x`'d during install, and the `PreToolUse` block is added (or merged, if `.claude/settings.json` already exists) with a `Bash` matcher. ## What a session looks like A session has two phases: 1. **Setup.** You trigger the skill, pick scope (project vs global), and it writes the hook script + the `settings.json` matcher block in one pass. The skill is install-only — once registered, it does not re-trigger. 2. **Background enforcement.** From then on, every `Bash` tool call gets intercepted. Reads (`git status`, `git log`, `git diff`) pass through silently. Destructive operations get blocked with a refusal message visible to the agent, which routes back to the human for confirmation rather than retrying. The first time the hook fires on a real `git push` attempt is usually the receipt — the agent's recovery behaviour (asks you, vs retries variants) tells you whether the refusal message wording is doing its job. ## Receipts TODO — to be filled in from a real session. When the hook first blocks a destructive command in production use, capture: the exact command that was about to run, the agent's recovery behaviour (asked human, retried with variant, gave up), and any false positives (legitimate ops the regex caught that you had to allowlist). Pair naturally with the [claude-code-hooks-cookbook](/blog/claude-code-hooks-cookbook/) post for the broader PreToolUse pattern this skill instantiates. ## Source and attribution Originally written by [Matt Pocock](https://github.com/mattpocock). The canonical `SKILL.md` and the bundled `scripts/block-dangerous-git.sh` live in the [`misc/git-guardrails-claude-code` folder](https://github.com/mattpocock/skills/tree/main/skills/misc/git-guardrails-claude-code) of his public skills repository. License: MIT. You can install, adapt, and redistribute the skill, with attribution preserved. This page documents the skill from a practitioner's perspective. For the formal spec and any updates, defer to the source repo.