git-guardrails-claude-code

Trigger phrases

Phrases that activate this skill when typed to Claude Code:

• block dangerous git commands in Claude Code
• set up git guardrails for Claude
• prevent git push and reset --hard

What it does

git-guardrails-claude-code is a Claude Code skill that installs a single PreToolUse hook on the Bash matcher. The hook reads the command line about to run, regex-matches a small set of destructive git operations, and exits non-zero with an explicit refusal message before the agent’s Bash call executes.

Out of the box it blocks:

• git push (all variants, including --force and --force-with-lease)
• git reset --hard
• git clean -f / git clean -fd
• git branch -D
• git checkout . / git restore .

When a blocked command fires, the agent sees a line saying it does not have authority for that command — which is enough for the model to back off and ask the human rather than retry with a variant.

When to use it

Reach for it when:

• You let Claude Code work autonomously for more than a few minutes in a repo with un-pushed commits
• The repo has a shared remote and a force-push or a wrong-branch push would create real cleanup work for someone else
• You’ve already had one near-miss with git reset --hard or git clean -f clearing files you wanted to keep
• You want a belt-and-suspenders layer on top of Claude Code’s existing confirmation prompts (which the agent can sometimes route around with chained commands)

When not to reach for it:

• Throwaway/scratch repos where destructive ops are the point
• CI/automation contexts where push/reset are the intended action (the hook would block legitimate work)

Install

The skill is distributed via Pocock’s skills repo. Install via his recommended path (npx skills add or manual copy of the SKILL.md plus the bundled scripts/block-dangerous-git.sh into .claude/skills/git-guardrails-claude-code/) — see the repo README for canonical install instructions.

The skill asks scope on first invocation: project (.claude/settings.json + .claude/hooks/block-dangerous-git.sh) or global (~/.claude/settings.json + ~/.claude/hooks/block-dangerous-git.sh). The hook script is chmod +x’d during install, and the PreToolUse block is added (or merged, if .claude/settings.json already exists) with a Bash matcher.

What a session looks like

A session has two phases:

1. Setup. You trigger the skill, pick scope (project vs global), and it writes the hook script + the settings.json matcher block in one pass. The skill is install-only — once registered, it does not re-trigger.
2. Background enforcement. From then on, every Bash tool call gets intercepted. Reads (git status, git log, git diff) pass through silently. Destructive operations get blocked with a refusal message visible to the agent, which routes back to the human for confirmation rather than retrying.

The first time the hook fires on a real git push attempt is usually the receipt — the agent’s recovery behaviour (asks you, vs retries variants) tells you whether the refusal message wording is doing its job.

Receipts

TODO — to be filled in from a real session. When the hook first blocks a destructive command in production use, capture: the exact command that was about to run, the agent’s recovery behaviour (asked human, retried with variant, gave up), and any false positives (legitimate ops the regex caught that you had to allowlist).

Pair naturally with the claude-code-hooks-cookbook post for the broader PreToolUse pattern this skill instantiates.

Source and attribution

Originally written by Matt Pocock. The canonical SKILL.md and the bundled scripts/block-dangerous-git.sh live in the misc/git-guardrails-claude-code folder of his public skills repository.

License: MIT. You can install, adapt, and redistribute the skill, with attribution preserved.

This page documents the skill from a practitioner’s perspective. For the formal spec and any updates, defer to the source repo.