| name | dangerous-actions |
| description | Rosetta CRITICAL MUST skill. MUST activate when action or its consequence is potentially dangerous, potentially irreversible, potentially destructive, or HIGH RISK. MUST activate when consequence MAYBE dangerous even if action itself seems safe. This is enterprise environment — the cost of dangerous activities is EXTREMELY HIGH, recovery may be impossible, and blast radius may affect production, shared environments, or other teams. If there is even a remote chance - load the skill. |
| license | Apache-2.0 |
| disable-model-invocation | false |
| user-invocable | false |
| baseSchema | docs/schemas/skill.md |
<dangerous_actions>
- Assess BLAST RADIUS before execution.
- "THINK THE OPPOSITE" — what if this goes wrong?
- Consider safer alternatives.
- MUST REQUIRE EXPLICIT user approval for hard-deny tier (see below).
Examples (not limited):
- Deleting data from actual servers
- Using actual servers in unit testing
- git reset, deleting branches, force-push
- Generating destructive scripts or commands
- Modifying shared infrastructure, CI/CD, permissions
- Dropping or truncating database tables
Exceptions (only after blast radius):
- Application code itself.
- Just-created data you CAN fully recover.
- Temporary data without side-effects.
- Assuming local action has no remote consequence.
- Generating destructive commands in scripts without flagging.
Active in Claude Code, Cursor, Copilot, and Codex. Windsurf: adapter ships but no plugin yet.
An automated PreToolUse hook backs this skill for the highest-blast-radius patterns (Bash destructive commands, file writes to secret paths, DDL payloads in content). The hook is a deterministic tripwire — it does not replace this skill's reasoning process. Use this skill to reason about danger; the hook enforces a last-resort gate if that reasoning is skipped.
Two-tier policy
All patterns are classified as either reconsider (dangerous but recoverable) or hard-deny (catastrophic, no bypass exists):
| Tier | Examples | AI behaviour on deny |
|---|
reconsider | rm -rf ./cache, git reset --hard, git branch -D, aws s3 rm --recursive, DDL in content | Deny with retry instruction; AI may add Rosetta-AI-reviewed comment after reconsidering blast radius |
hard-deny | rm -rf /, rm -rf $HOME, mkfs, dd of=/dev/, curl | sh, writes to .env / SSH keys / AWS credentials / kubeconfig | Permanent block; human review required |
Threat model
This hook is a deterministic safety net against accidental destructive intent — not a security boundary against a determined adversary.
| Protects against | Does not protect against |
|---|
Accidental rm -rf / by AI on the way to its real task | A determined AI with explicit instructions to bypass |
| Human typos in command strings | Prompt injection targeting the override token |
| Unintentional secret file writes | Novel MCP tools with non-standard field names |
AI self-approving supply-chain attacks (curl | sh is hard-deny) | Agents with OS-level shell access granted by the user |
Override mechanism — reconsider tier
When the hook denies a reconsider-tier pattern:
- Read the deny message: it explains the pattern, blast radius reason, and retry instructions.
- Reconsider the blast radius: is the target actually safe? Is there a safer alternative?
- If the action is genuinely necessary, append
Rosetta-AI-reviewed as a comment to a user-visible payload field and retry:
Bash: in the command field (append as a bash comment)
Write: in the content field (append as an appropriate comment)
Edit: in the new_string field (append as an appropriate comment)
MultiEdit: in the new_string of the relevant edits[] entry
MCP: in command, sql, query, new_string, or content
- If unsure about blast radius, stop and ask the user before proceeding.
Not accepted: description, comment, metadata, or any field not rendered in the IDE UI. This prevents silent self-assertion via hidden fields.
Detection: any occurrence of Rosetta-AI-reviewed with word boundaries in a whitelisted field is accepted. Exact case required. Rejected: Rosetta-reviewed (old token), rosetta-ai-reviewed (lowercase), Rosetta-AI-reviewedX (suffix word char).
Hard-deny tier
hard-deny patterns cannot be bypassed by the Rosetta-AI-reviewed marker. When the hook returns HARD-DENY:
- Stop immediately — do not retry with the marker.
- Explain the block and blast radius to the user.
- Propose a safer alternative if one exists.
- Wait for the human to explicitly confirm before taking any equivalent action.
</dangerous_actions>