skill-dangerous-command
Skill script contains dangerous commands that could cause system damage
Rule Details
This rule scans skill script files (.sh, .py, .js, .ts) for known dangerous command patterns. It checks for destructive operations such as rm -rf /, fork bombs, raw disk writes with dd, filesystem formatting with mkfs, and direct writes to block devices. These commands can cause irreversible data loss or render a system inoperable. This is a critical security rule that should remain enabled for all skill projects.
Incorrect
Script that deletes the root filesystem
#!/bin/bash
rm -rf / --no-preserve-rootScript that writes directly to a raw disk device
#!/bin/bash
dd if=/dev/zero of=/dev/sda bs=1MScript that formats a disk partition
#!/bin/bash
mkfs.ext4 /dev/sdb1Correct
Script that removes a specific project directory safely
#!/bin/bash
rm -rf "$PROJECT_DIR/build"Script that writes to a regular file instead of a device
#!/bin/bash
dd if=/dev/zero of=./test-image.img bs=1M count=100How To Fix
Remove the dangerous command and replace it with a safer alternative. For file deletion, use targeted paths instead of root-level operations. For disk operations, write to regular files or use higher-level tools with safety checks.
Options
This rule does not have any configuration options.
When Not To Use It
This rule should almost never be disabled. If you are writing a system administration tool that intentionally performs low-level disk operations, consider using an allowlist approach instead of disabling the rule entirely.
Related Rules
Resources
Version
Available since: v0.2.0