Focus.AI Labs / Artifact Field Notes Extensions
Fast browse / jump off / source-grounded
Extensions

security

Block dangerous bash commands and protect sensitive paths from writes

Primary URL ↗Seed List ↗
plugin/extension
Origin
seed-list
Extensibility
package
Primary interface
unknown

What this artifact is for

The quick orientation layer before you go deeper upstream.

Profile

Summary

Block dangerous bash commands and protect sensitive paths from writes

Seed description: Block dangerous bash commands and protect sensitive paths from writes

Category: Extensions

Best for: Not yet synthesized.

Signals

How to read this page

Workflow tags: none captured

Integrations: none captured

Caveats: No caveats captured yet

Maturity: No maturity signals captured

Source excerpt

More of the actual upstream surface so you can skim here before deciding to open the repo.

Upstream skim
No upstream prose excerpt was captured yet for this artifact.

Preview source: captured upstream text ↗

What shows up in the source

Quick topics

No clear heading structure was captured from the upstream surface.

Skim bullets

No additional structured notes were captured for this artifact yet.
import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
import * as path from "node:path";

/**
 * Comprehensive security hook:
 * - Blocks dangerous bash commands (rm -rf, sudo, chmod 777, etc.)
 * - Protects sensitive paths from writes (.env, node_modules, .git, keys)
 */
export default function (pi: ExtensionAPI) {
  const dangerousCommands = [
    { pattern: /\brm\s+(-[^\s]*r|--recursive)/, desc: "recursive delete" }, // rm -rf, rm -r, rm --recursive
    { pattern: /\bsudo\b/, desc: "sudo command" }, // sudo anything
    { pattern: /\b(chmod|chown)\b.*777/, desc: "dangerous permissions" }, // chmod 777, chown 777
    { pattern: /\bmkfs\b/, desc: "filesystem format" }, // mkfs.ext4, mkfs.xfs
    { pattern: /\bdd\b.*\bof=\/dev\//, desc: "raw device write" }, // dd if=x of=/dev/sda
    { pattern: />\s*\/dev\/sd[a-z]/, desc: "raw device overwrite" }, // echo x > /dev/sda
    { pattern: /\bkill\s+-9\s+-1\b/, desc: "kill all processes" }, // kill -9 -1
    { pattern: /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;/, desc: "fork bomb" }, // :(){:|:&};:
  ];

  const protectedPaths = [
    { pattern: /\.env($|\.(?!example))/, desc: "environment file" }, // .env, .env.local (but not .env.example)
    { pattern: /\.dev\.vars($|\.[^/]+$)/, desc: "dev vars file" }, // .dev.vars
    { pattern: /node_modules\//, desc: "node_modules" }, // node_modules/
    { pattern: /^\.git\/|\/\.git\//, desc: "git directory" }, // .git/
    { pattern: /\.pem$|\.key$/, desc: "private key file" }, // *.pem, *.key
    { pattern: /id_rsa|id_ed25519|id_ecdsa/, desc: "SSH key" }, // id_rsa, id_ed25519
    { pattern: /\.ssh\//, desc: ".ssh directory" }, // .ssh/

Sources and provenance

Everything on this page should be traceable back to the list seed or an upstream surface.

Source links
https://github.com/qualisero/awesome-pi-agent
Provenance

Discovery reason: Listed in the awesome-pi-agent README

Discovered from: michalvavra-agents

Claim confidence: medium

Surface capture kind: blob-code