dcg-guard

Hard-blocks dangerous shell commands (rm -rf, git push --force, etc.) before execution via OpenClaw's before_tool_call plugin hook. Zero noise on safe commands, ~27ms latency. Uses DCG (Dangerous Command Guard) binary.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "dcg-guard" with this command: npx skills add starensen/dcg-guard

DCG Guard

An OpenClaw plugin that hard-blocks dangerous shell commands before they execute. Works on any OpenClaw installation (Windows, macOS, Linux, local, VPS, anywhere). No binary dependencies required.

What It Does

Intercepts every exec/bash tool call via OpenClaw's before_tool_call plugin event. Pipes the command through DCG (Dangerous Command Guard). Safe commands pass silently with zero overhead. Dangerous commands are blocked before execution.

Blocked (Unix): rm -rf ~, git push --force, git reset --hard, git clean -fd, git branch -D Blocked (Windows): Remove-Item -Recurse -Force, rd /s /q, del /s, Format-Volume, reg delete HKLM Allowed: ls, cat, echo, git status, npm install, dir, Get-ChildItem

Install

# After clawhub install dcg-guard:
bash install.sh

Or manually:

# 1. Install DCG binary
curl -sSL https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/master/install.sh | bash

# 2. Link plugin into OpenClaw
openclaw plugins install -l /path/to/dcg-guard
openclaw gateway restart

How It Works

  1. Agent calls exec with a command
  2. Plugin intercepts via before_tool_call (runs before execution)
  3. Command is checked against built-in rules (cross-platform, <1ms, no subprocess)
  4. If no built-in match and DCG binary is installed, command is piped to DCG (~27ms)
  5. Safe: silent passthrough, agent never knows the plugin exists
  6. Dangerous: { block: true } returned to OpenClaw, command never executes

v1.1.0: Built-in rules work without the DCG binary. DCG binary is optional (adds extra unix rules). Windows fully supported out of the box.

Security

  • No shell interpolation. Commands are passed to DCG via stdin using execFileSync (not execSync). No injection risk.
  • Fail-open. If DCG binary is missing or crashes, commands pass through. The plugin never deadlocks your agent.
  • Zero dependencies. Only requires the DCG binary (single Go binary, no runtime deps).

Configuration

Optional, in openclaw.json under plugins.entries.dcg-guard.config:

{
  "enabled": true,
  "dcgBin": "/custom/path/to/dcg"
}

Default DCG path: ~/.local/bin/dcg

Override with env var: DCG_BIN=/path/to/dcg

Agent Instructions (optional)

Add to your workspace AGENTS.md:

When a command is blocked by DCG Guard, do NOT retry it.
Ask the user for explicit permission before attempting any alternative.
The block exists because the command is destructive or irreversible.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

Zoom

Zoom API integration with managed OAuth. Manage meetings, webinars, recordings, and user profiles. Use this skill when users want to schedule meetings, manag...

Registry SourceRecently Updated
2211byungkyu
General

Kleinanzeigen.de Helper

Erstelle und verwalte Verkaufsanzeigen speziell auf kleinanzeigen.de. Verwende diesen Skill wenn der Human sagt, er will etwas auf kleinanzeigen.de verkaufen...

Registry SourceRecently Updated
00simon83s
General

Poku

Sends and receives phone calls and messages (like SMS, WhatsApp, Slack), and reserves dedicated phone numbers using the Poku API. Example use cases: calling...

Registry SourceRecently Updated
7401emileindik
General

IMAP/SMTP Email - Maddy Fix

Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search mailboxes, mark as read/unread, and send emails with attachments. Sup...

Registry SourceRecently Updated
80troioi-vn