Stats
Links
Categories
Auto-discovered marketplace from tddyco/guardian
npx claudepluginhub tddyco/guardianLLM-based guardian that auto-approves read-only Bash commands and defers everything else to user approval
An LLM-based PreToolUse hook that auto-approves read-only Bash commands and defers everything else to the normal user approval prompt.
Tired of manually approving ls, cat, python analyze.py, and git log? This plugin invokes claude -p as a security reviewer to inspect each Bash command (including reading script files the agent may have written) and auto-approves when it's confident the operation is safe.
cat, ls, grep, find, jq, diff, wc, head, tail, etc.git log, git diff, git status, git show, git blame, etc.gh pr view, gh pr list, gh issue list, gh api (GET only)du, df, ps, uname, whoamimkdir, touch, cp, mv, rm, output redirects — anything that stays inside the project directory, /tmp, or ~/.claude/projects/*/memory/Everything else, including:
git commit, git push)npm install, pip install)/tmp, and ~/.claude/projects/*/memory/curl, wget)gh api with mutating HTTP methodssudo, chmod/chown on system pathsThere is no "deny" category — the user always has the final say via the normal approval prompt.
/plugin marketplace add tddyco/guardian
/plugin install guardian@tddyco-guardian
claude --plugin-dir /path/to/claude-guardian/claude
Run /hooks inside Claude Code to confirm the PreToolUse hook is loaded ([command] type).
The policy lives in claude/policy.md and is read at runtime by the hook script. No build step needed.
To customize:
claude/policy.md with your changes--model flag in claude/hooks/guardian.shclaude/hooks/hooks.jsonThe plugin registers a PreToolUse command hook on the Bash tool. When a Bash command needs approval:
guardian.sh reads the hook input JSON from stdinclaude -p --model sonnet with the policy as system prompt and the command details as user input--json-schema enforces {"ok": boolean, "reason": string} output--tools "Read" lets the reviewer inspect script files but not write or execute anything--settings '{"disableAllHooks":true}' prevents recursive hook callsok: true → auto-approve. Otherwise → show normal approval promptCtrl+O in Claude Code toggles verbose mode — shows hook stdout/stderr inline--debug flag shows full hook execution details/hooks menu to verify the hook is loaded and check its sourceThe hook invokes claude -p (Sonnet) on every non-whitelisted Bash command. For typical data analysis workflows this is a small overhead, but it adds up with many commands. Consider whitelisting your most frequent safe commands in settings.json to bypass the hook entirely.
Guardian was inspired by Codex's experimental Guardian system, which uses an LLM sub-agent to review tool calls for safety. I wanted something similar for Claude Code — but with a different philosophy.
Codex Guardian and Claude Code's auto mode are primarily safety tools: they block destructive or malicious actions while letting normal work flow through. Guardian is much more conservative, while still being much more permissive than a typical sandbox. It auto-approves only operations with an extremely limited blast radius (reads + writes to CWD/tmp), and defers everything else to the user. This includes actions that are perfectly safe but externally visible, like posting a GitHub comment, pushing a branch, or installing a package. The goal isn't just to prevent damage, it's to prevent the AI from taking any irreversible or externally-visible action without explicit human review.