shellfirm
mcp
Basarisiz
Health Gecti
- License — License: Apache-2.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 887 GitHub stars
Code Basarisiz
- rm -rf — Recursive force deletion command in .github/workflows/release.yml
- fs module — File system access in scripts/bump-npm-version.sh
Permissions Gecti
- Permissions — No dangerous permissions requested
Purpose
This tool acts as a safety guardrail for terminal commands, intercepting and evaluating shell inputs to prevent humans and AI agents from executing destructive or risky operations.
Security Assessment
Overall risk: Low. The tool's core function is to analyze and block dangerous commands, which it does effectively through a local MCP server and shell hooks. It does not request dangerous account permissions or make suspicious network requests. There are no hardcoded secrets. The only flagged issues are a recursive force deletion command (`rm -rf`) inside a release automation workflow, and a file system access reference in a version-bump script. Both are standard build artifacts for a binary utility written in Rust and pose no threat to the end user.
Quality Assessment
The project is highly maintained and exhibits strong community trust, recently receiving updates and boasting nearly 900 GitHub stars. It uses the permissive Apache-2.0 license, making it highly suitable for integration into commercial and open-source environments. The repository is professionally structured, featuring continuous integration tests, clear documentation, and multiple safe installation methods via Homebrew, npm, and Cargo.
Verdict
Safe to use — An excellent, actively maintained utility that enhances security rather than compromising it.
This tool acts as a safety guardrail for terminal commands, intercepting and evaluating shell inputs to prevent humans and AI agents from executing destructive or risky operations.
Security Assessment
Overall risk: Low. The tool's core function is to analyze and block dangerous commands, which it does effectively through a local MCP server and shell hooks. It does not request dangerous account permissions or make suspicious network requests. There are no hardcoded secrets. The only flagged issues are a recursive force deletion command (`rm -rf`) inside a release automation workflow, and a file system access reference in a version-bump script. Both are standard build artifacts for a binary utility written in Rust and pose no threat to the end user.
Quality Assessment
The project is highly maintained and exhibits strong community trust, recently receiving updates and boasting nearly 900 GitHub stars. It uses the permissive Apache-2.0 license, making it highly suitable for integration into commercial and open-source environments. The repository is professionally structured, featuring continuous integration tests, clear documentation, and multiple safe installation methods via Homebrew, npm, and Cargo.
Verdict
Safe to use — An excellent, actively maintained utility that enhances security rather than compromising it.
Safety guardrails for ai coding agents and human terminal commands
README.md
shellfirm
Think before you execute.
Humans make mistakes. AI agents make them faster. shellfirm intercepts dangerous shell commands before the damage is done.
$ rm -rf ./src
============ RISKY COMMAND DETECTED ============
Severity: Critical
Blast radius: [PROJECT] — Deletes 347 files (12.4 MB) in ./src
Description: You are going to delete everything in the path.
Solve the challenge: 8 + 0 = ? (^C to cancel)
$ git push origin main --force
============ RISKY COMMAND DETECTED ============
Severity: High
Blast radius: [RESOURCE] — Force-pushes branch main (3 commits behind remote)
Description: This command will force push and overwrite remote history.
Alternative: git push --force-with-lease
(Checks that your local ref is up-to-date before force pushing, preventing accidental overwrites of others' work.)
Solve the challenge: 3 + 5 = ? (^C to cancel)
Features
- 100+ patterns across 9 ecosystems (filesystem, git, Kubernetes, Terraform, Docker, AWS, GCP/Azure, Heroku, databases)
- 8 shells — Zsh, Bash, Fish, Nushell, PowerShell, Elvish, Xonsh, Oils
- Context-aware escalation — harder challenges when connected via SSH, running as root, on protected git branches, or in production Kubernetes clusters
- Safe alternative suggestions — actionable safer commands shown alongside every warning
- Severity levels with configurable thresholds (
Critical,High,Medium,Low,Info) - Project policies — share team safety rules via
.shellfirm.yaml(additive-only, never weakens) - Audit trail — every intercepted command and decision logged as JSON-lines
- Blast radius detection — runtime context signals feed into risk scoring
- MCP server — expose shellfirm as an AI tool for Claude Code, Cursor, and other agents
AI Tool Integration
Claude Code
One command sets up both automatic safety (hooks) and on-demand analysis (MCP):
shellfirm connect claude-code
This adds:
- Hooks — every Bash command is checked before execution; risky commands are blocked
- MCP — Claude can call shellfirm tools to explain risks and suggest alternatives
MCP Tools
| Tool | Description |
|---|---|
check_command |
Check if a command is risky — returns severity, matched rules, and alternatives |
suggest_alternative |
Get safer replacement commands |
explain_risk |
Detailed explanation of why a command is dangerous |
get_policy |
Read the active shellfirm configuration and project policy |
Installation
npm
npm install -g @shellfirm/cli
Homebrew
brew tap kaplanelad/tap && brew install shellfirm
Cargo
cargo install shellfirm
Or download the binary from the releases page.
Quick Start
1. Install the shell hook (auto-detects your shell):
shellfirm init --install
2. Restart your shell (or source your rc file).
3. Try it:
git reset --hard # Should trigger shellfirm!
For manual setup, shell-specific instructions, and Oh My Zsh plugin, see the shell setup docs.
Documentation
Full documentation is available at shellfirm.dev:
- Configuration — challenge types, severity thresholds, custom checks
- Context-Aware Protection — SSH, root, git branches, Kubernetes, environment variables
- Team Policies —
.shellfirm.yamlproject-level rules - AI Agents & Automation — MCP server, LLM analysis, agent mode
Contributing
Contributions are welcome! Please open an issue or pull request on GitHub.
License
Yorumlar (0)
Yorum birakmak icin giris yap.
Yorum birakSonuc bulunamadi