2026-01-26 · Authensor

AI Agent Ran rm -rf: How to Prevent Destructive Shell Commands

An AI agent attempting to "clean up build artifacts" executed rm -rf /home/deploy/ instead of rm -rf /home/deploy/build/dist/, erasing the entire deployment directory including source code, configs, and deployment scripts. SafeClaw by Authensor intercepts every shell command before execution, evaluates it against a policy engine, and blocks commands containing destructive patterns like rm -rf on protected paths.

The Incident: Full Post-Mortem

Context: A CI/CD pipeline used an AI agent to manage build artifacts. The agent had shell access to run build and cleanup commands.

Timeline:

| Time | Event |
|------|-------|
| 14:01 | Agent receives instruction: "Remove old build output from the dist folder" |
| 14:01 | Agent constructs command: rm -rf /home/deploy/ (missing build/dist/ suffix) |
| 14:01 | Command executes — entire /home/deploy/ directory removed |
| 14:03 | Next deployment step fails — deployment scripts are gone |
| 14:15 | Team discovers the issue, begins emergency recovery |
| 16:30 | Service restored from backup, 2.5 hours of downtime |

Root cause: The agent truncated the path when constructing the shell command. There was no pre-execution check to validate the command against a policy. The agent had unrestricted shell access.

Contributing factors:

No path validation before command execution

No deny list for destructive commands on protected directories

No human-in-the-loop approval for rm commands

Agent ran as a user with full directory permissions

How SafeClaw Prevents This

SafeClaw evaluates shell commands at the action level before they reach the operating system. The command string is parsed and matched against policy rules.

Quick Start

npx @authensor/safeclaw

Policy That Blocks Destructive Commands

# safeclaw.config.yaml rules: # Block rm -rf entirely outside of safe directories - action: shell.execute command_pattern: "rm -rf /**" decision: deny reason: "Recursive forced deletion is blocked by policy" # Allow rm only in the specific build output directory - action: shell.execute command_pattern: "rm -rf /home/deploy/build/dist/*" decision: allow # Block other dangerous commands - action: shell.execute command_pattern: "rm -rf /" decision: deny reason: "System-wide deletion is never permitted" - action: shell.execute command_pattern: "mkfs*" decision: deny reason: "Filesystem formatting is blocked" - action: shell.execute command_pattern: "dd if=of=/dev/" decision: deny reason: "Raw device writes are blocked"

# Default deny for all other shell commands - action: shell.execute decision: deny reason: "Shell command not in allowlist"

Runtime Interception

When the agent tries to execute rm -rf /home/deploy/, SafeClaw intercepts it:

{
  "action": "shell.execute",
  "command": "rm -rf /home/deploy/",
  "decision": "deny",
  "matched_rule": "rm -rf /** blocked by policy",
  "timestamp": "2026-02-13T14:01:33Z",
  "audit_hash": "sha256:a7b2..."
}

The command never runs. The agent receives the denial and can be configured to request human approval or fall back to a safer alternative.

Why SafeClaw

446 tests include destructive command patterns, path traversal attempts, command chaining (&&, ||, ;), and encoded command injection
Deny-by-default means every shell command is blocked unless a rule explicitly permits it
Sub-millisecond evaluation adds negligible latency even in CI/CD pipelines where speed matters
Hash-chained audit trail records every command attempted, providing forensic evidence for incident review

Dangerous Commands to Block

Beyond rm -rf, your policies should deny these patterns unless explicitly needed:

chmod 777 — opens permissions dangerously wide
curl | bash — executes untrusted remote code
wget -O- | sh — same risk as above
git push --force — rewrites remote history
DROP TABLE / DROP DATABASE — destructive database operations
kill -9 — forcefully terminates processes without cleanup

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw