Git防护栏：阻止Claude执行危险Git命令的安全钩子脚本

git-guardrails-claude-code by mattpocock/skills

1,400 周安装量

9,900 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/mattpocock/skills --skill git-guardrails-claude-code

开发开发运维安全

🇨🇳中文介绍

设置 Git 防护栏

设置一个 PreToolUse 钩子，用于在 Claude 执行危险 git 命令之前拦截并阻止它们。

被阻止的命令

git push (包括 --force 在内的所有变体)
git reset --hard
git clean -f / git clean -fd
git branch -D
git checkout . / git restore .

当命令被阻止时，Claude 会看到一条消息，告知其无权访问这些命令。

步骤

1. 询问范围

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

2. 复制钩子脚本

捆绑的脚本位于：scripts/block-dangerous-git.sh

根据范围将其复制到目标位置：

项目范围 : .claude/hooks/block-dangerous-git.sh
全局范围 : ~/.claude/hooks/block-dangerous-git.sh

使用 chmod +x 使其可执行。

3. 将钩子添加到设置

添加到相应的设置文件中：

项目范围 (.claude/settings.json):

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/block-dangerous-git.sh"
          }
        ]
      }
    ]
  }
}

全局范围 (~/.claude/settings.json):

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "~/.claude/hooks/block-dangerous-git.sh"
          }
        ]
      }
    ]
  }
}

如果设置文件已存在，请将钩子合并到现有的 hooks.PreToolUse 数组中——不要覆盖其他设置。

4. 询问自定义选项

询问用户是否想要从阻止列表中添加或删除任何模式。相应地编辑复制的脚本。

运行一个快速测试：

echo '{"tool_input":{"command":"git push origin main"}}' | <path-to-script>

应该以代码 2 退出，并向 stderr 打印一条 BLOCKED 消息。

🇺🇸English

Setup Git Guardrails

Sets up a PreToolUse hook that intercepts and blocks dangerous git commands before Claude executes them.

What Gets Blocked

git push (all variants including --force)
git reset --hard
git clean -f / git clean -fd
git branch -D
git checkout . / git restore .

When blocked, Claude sees a message telling it that it does not have authority to access these commands.

Steps

1. Ask scope

Ask the user: install for this project only (.claude/settings.json) or all projects (~/.claude/settings.json)?

2. Copy the hook script

The bundled script is at: scripts/block-dangerous-git.sh

Copy it to the target location based on scope:

Project : .claude/hooks/block-dangerous-git.sh
Global : ~/.claude/hooks/block-dangerous-git.sh

Make it executable with chmod +x.

3. Add hook to settings

Add to the appropriate settings file:

Project (.claude/settings.json):

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/block-dangerous-git.sh"
          }
        ]
      }
    ]
  }
}

Global (~/.claude/settings.json):

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "~/.claude/hooks/block-dangerous-git.sh"
          }
        ]
      }
    ]
  }
}

If the settings file already exists, merge the hook into existing hooks.PreToolUse array — don't overwrite other settings.

4. Ask about customization

Ask if user wants to add or remove any patterns from the blocked list. Edit the copied script accordingly.

5. Verify

Run a quick test:

echo '{"tool_input":{"command":"git push origin main"}}' | <path-to-script>

Should exit with code 2 and print a BLOCKED message to stderr.

Weekly Installs

1.4K

Repository

mattpocock/skills

GitHub Stars

9.9K

First Seen

Feb 10, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode1.3K

codex1.3K

gemini-cli1.3K

github-copilot1.3K

kimi-cli1.3K

amp1.3K

React 组合模式指南：Vercel 组件架构最佳实践，提升代码可维护性

102,200 周安装