[esperent]

I added a hook to disable rm, find - delete, and a few of the other more obvious destructive ops. It sends Claude a strongly worded message: "STOP IMMEDIATELY. DO NOT TRY TO FIND WORKAROUNDS...".

It works well. Git rm is still allowed.

[Diti]

I added something similar. Claude eventually ran a `rm -rf *´ on my own project. When I asked why it did that, it recognized it messed up and offered a very bad “apology”: “the irony of not following your safety instructions isn’t lost on me”.

Nowadays I only run Claude in Plan mode, so it doesn’t ask me for permissions any more.

[lxgr]

It works well so far, for you.

Are you confident it would still work against sophisticated prompt injection attacks that override your "strongly worded message"?

Strongly worded signs can be great for safety (actual mechanisms preventing undesirable actions from being taken are still much better), but are essentially meaningless for security.

[unshavedyak]

Not sure about OPs impl, but the wording doesn’t matter. The hook prevents the use of whatever action you want. Eg it’s impossible for Claude to use Emojis for me. My hook doesn’t allow it.

So it’s deterministic based upon however the script it written

[jmalicki]

If your hook prevents rm, it is possible for Claude to write a script that does the rm and execute the script.

[unshavedyak]

Yup, that's totally possible, but you still have to approve the script. But that's a bit of a moot point right? Claude is writing code, nearly anything is possible with code, ergo claude could do anything lol.

[esperent]

I mean, that's like saying are you sure that your antivirus would prevent every possible virus? Are you sure that you haven't made some mistake in your dev box setup that would allow a hacker to compromise it? What if a thief broke i to your house and stole your laptop? That's happened to me before, much more annoying to recover from that an accidental rm rf.

I do my best to keep off site back ups and don't worry about what I can't control.

[lxgr]

> I mean, that's like saying are you sure that your antivirus would prevent every possible virus?

Yes, I'm saying it's pretty much as bad as antivirus software.

> Are you sure that you haven't made some mistake in your dev box setup that would allow a hacker to compromise it?

Different category of error: Heuristically derived deterministic protection vs. protection based on a stochastic process.

> much more annoying to recover from that an accidental rm rf.

My point is that it's a different category, not that one is on average worse than the other. You don't want your security to just stand against the median attacker.

[cruffle_duffle]

It will mess up eventually. It always does. People need to stop thinking of this is a “security against malicious actor” thing… because thinking in that way blinds you to the actual threat… Claude being helpful and accidentally running a command it shouldn’t. It’s happened to me twice now where it will do something irreversible and also incorrect. It wasn’t a threat actor, it wasn’t a bad guy… it was a very eager, incredibly clever assistant fat fingering something and goofing up. The more power you let them wield, the more chance they’ll do accidents. But without lots of power, they don’t really do much useful…

It’s actually a hard problem. But it really isn’t “security” in the classic sense…