claude-code-project-boundary
skill
Fail
Health Pass
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 36 GitHub stars
Code Fail
- rm -rf — Recursive force deletion command in hooks/guard.sh
- rm -rf — Recursive force deletion command in tests/test_guard.sh
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This is a security plugin for Claude Code that creates a protective boundary around your project directory. It permits potentially destructive file operations (like `rm` or `chmod`) only within the project scope, while automatically blocking them outside the directory to prevent accidental system-wide damage when running in a highly permissive mode.
Security Assessment
The tool is designed entirely around executing and filtering shell commands, which is its core purpose. It does not make external network requests, nor does it contain hardcoded secrets. However, the automated scan flagged the presence of `rm -rf` commands within the `hooks/guard.sh` and `tests/test_guard.sh` files. This is expected given the tool's objective of regulating file deletion, and these commands are restricted to the project boundary. While the tool drastically reduces the risk of AI-driven system destruction, relying on any shell-parsing safety net—especially one guarding a `dangerouslySkipPermissions` environment—inherently carries a slight risk of bypass. Overall risk is rated as Medium.
Quality Assessment
The project demonstrates strong health and maintenance indicators. It is licensed under the standard MIT license, meaning it is open and safe to integrate. The repository is highly active, with the most recent push occurring just today. Additionally, it has garnered 36 GitHub stars, showing a reasonable degree of community trust and peer validation for a highly specific developer tool.
Verdict
Use with caution — the tool is well-maintained and conceptually sound, but it acts as a regex-based safety net for inherently risky execution modes.
This is a security plugin for Claude Code that creates a protective boundary around your project directory. It permits potentially destructive file operations (like `rm` or `chmod`) only within the project scope, while automatically blocking them outside the directory to prevent accidental system-wide damage when running in a highly permissive mode.
Security Assessment
The tool is designed entirely around executing and filtering shell commands, which is its core purpose. It does not make external network requests, nor does it contain hardcoded secrets. However, the automated scan flagged the presence of `rm -rf` commands within the `hooks/guard.sh` and `tests/test_guard.sh` files. This is expected given the tool's objective of regulating file deletion, and these commands are restricted to the project boundary. While the tool drastically reduces the risk of AI-driven system destruction, relying on any shell-parsing safety net—especially one guarding a `dangerouslySkipPermissions` environment—inherently carries a slight risk of bypass. Overall risk is rated as Medium.
Quality Assessment
The project demonstrates strong health and maintenance indicators. It is licensed under the standard MIT license, meaning it is open and safe to integrate. The repository is highly active, with the most recent push occurring just today. Additionally, it has garnered 36 GitHub stars, showing a reasonable degree of community trust and peer validation for a highly specific developer tool.
Verdict
Use with caution — the tool is well-maintained and conceptually sound, but it acts as a regex-based safety net for inherently risky execution modes.
Claude Code plugin: scope-aware protection — allows destructive ops (rm, mv, chmod) within project, blocks them outside. Built for dangerouslySkipPermissions mode.
README.md
Project Boundary — Claude Code Plugin
Allows destructive operations within your project but blocks them outside the project directory. Built for dangerouslySkipPermissions mode where Claude doesn't ask — this plugin is your safety net.
How it differs from existing plugins
- claude-code-safety-net — blocks
rmeverywhere; Project Boundary allows it inside the project so refactoring works normally. - destructive-command-guard — only distinguishes
/tmpvs everything else; Project Boundary uses$CLAUDE_PROJECT_DIRas the actual boundary. - claude-code-damage-control — requires manually listing protected paths; Project Boundary automatically protects everything outside the project.
What it does
Always blocked (regardless of location)
| Command | Example |
|---|---|
git push --force / -f |
git push --force origin main |
git reset --hard |
git reset --hard HEAD~1 |
git checkout . |
git checkout . |
git clean -f |
git clean -fd |
DROP TABLE / TRUNCATE TABLE |
DROP TABLE users; |
rails db:drop / db:reset |
rails db:drop |
rake db:drop / db:reset |
rake db:drop |
mkfs.* |
mkfs.ext4 /dev/sda1 |
dd if= |
dd if=/dev/zero of=/dev/sda |
Boundary-checked (allowed inside project, blocked outside)
| Operation | Inside project | Outside project |
|---|---|---|
rm, rm -rf |
Allowed | Blocked |
mv (source and destination) |
Allowed | Blocked |
cp (source and destination) |
Allowed | Blocked |
ln (source and target) |
Allowed | Blocked |
chmod / chown |
Allowed | Blocked |
> / >> redirect |
Allowed | Blocked |
tee / tee -a |
Allowed | Blocked |
curl -o / curl --output |
Allowed | Blocked |
wget -O / wget --output-document |
Allowed | Blocked |
find -delete / find -exec rm |
Allowed | Blocked |
Always blocked (unsafe to inspect)
| Command | Reason |
|---|---|
bash -c "..." / sh -c "..." |
Nested shell — cannot inspect inner command |
eval '...' |
Cannot safely parse evaluated code |
Piping to sh / bash |
Inner commands invisible to guard |
xargs rm/mv/cp/... |
Arguments cannot be validated |
Additional protections
- Chained commands — splits on
;,&&,||,|and checks each sub-command independently cdtracking —cd /tmp && rm -rf somethingis blocked becausecdleft the projectsudoprefix — stripped before checking, sosudo rm /etc/passwdis still blockedfindoptions — handles-L,-H,-Pbefore the search path- Path traversal —
..segments are resolved before boundary check ~and$HOMEexpansion —rm ~/fileandrm $HOME/fileare correctly detected as outside-project- Symlink resolution — handles macOS
/var→/private/varand similar
Known limitations
- Paths with spaces in project directory name are not fully supported (space-based argument splitting)
$()subshells and backtick substitution inside arguments are not expanded
Install
Direct:
claude --plugin-dir /path/to/claude-code-project-boundary
From marketplace:
/plugin marketplace add davepoon/buildwithclaude
/plugin install project-boundary@buildwithclaude
How it works
A pure-bash PreToolUse hook. Splits chained commands, resolves target paths (handling symlinks, .., ~, $HOME), and compares against $CLAUDE_PROJECT_DIR. Dependencies: bash + jq.
Testing
bash tests/test_guard.sh
125 tests covering all guard scenarios. CI runs on Ubuntu and macOS.
License
MIT
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found