Damage Control

Damage Control provides a defense-in-depth security layer for the Claude Code agent, specifically designed to mitigate the risk of executing unintended or malicious commands. By implementing PreToolUse hooks, it validates bash commands, file edits, and file writes before they occur. It is intended for software engineers and security-conscious developers who need to restrict an autonomous agent's environment, ensuring that critical production directories, credential files, and system configurations remain secure against accidental or unauthorized modification. Users can define custom policies through a centralized patterns.yaml file to block specific bash patterns like rm -rf or git reset, and enforce fine-grained path protection levels including zeroAccessPaths, readOnlyPaths, and noDeletePaths.

• Command pattern blocking: Prevents dangerous bash executions by intercepting them via PreToolUse hooks before they reach the shell.

• Path protection levels: Configures three distinct tiers of access control to safeguard secrets (zeroAccessPaths), protect system configs (readOnlyPaths), and prevent accidental deletion (noDeletePaths).

• Multi-scope deployment: Supports installation at the global user level, project-shared level, or local personal level using .claude/settings.json or settings.local.json files.

• Interactive workflows: Includes built-in cookbooks to guide users through installation, modification, testing, and cross-platform configuration for Windows PowerShell and cmd.

• Automated validation: Offers test prompts and command validation features to verify that security hooks are correctly catching unauthorized operations before they execute.

• The skill acts as an intermediary layer between tool usage and execution, requiring standard tools like UV (Python) or Bun (TypeScript) depending on the selected implementation.

• Users can trigger workflows with natural language, such as asking to 'install damage control' or 'block the command npm publish' for immediate policy updates.

• The system validates input via regex and exit code analysis (exit 0 for allowed, exit 2 for block, or JSON for user confirmation prompts).

• Always maintain a backup of your .claude settings when modifying security configurations, and ensure the hooks path matches your current agent working directory.

• Use the test suite provided in the skill directory to validate your specific environment patterns before relying on them for production security.