✓ Verified 💻 Development ✓ Enhanced Data

Dcg Guard

Hard-blocks dangerous shell commands (rm -rf, git push --force, etc.) before execution via OpenClaw'

Rating
4.1 (341 reviews)
Downloads
32,974 downloads
Version
1.0.0

Overview

Hard-blocks dangerous shell commands (rm -rf, git push --force, etc.) before execution via OpenClaw's.

Key Features

1

Blocked (Unix):* rm -rf ~, git push --force, git reset --hard, git clean -fd, git branch -D

2

Blocked (Windows):* Remove-Item -Recurse -Force, rd /s /q, del /s, Format-Volume, reg delete HKLM

3

Allowed:* ls, cat, echo, git status, npm install, dir, Get-ChildItem

Complete Documentation

View Source →

DCG Guard

An OpenClaw plugin that hard-blocks dangerous shell commands before they execute. Works on any OpenClaw installation (Windows, macOS, Linux, local, VPS, anywhere). No binary dependencies required.

What It Does

Intercepts every exec/bash tool call via OpenClaw's before_tool_call plugin event. Pipes the command through DCG (Dangerous Command Guard). Safe commands pass silently with zero overhead. Dangerous commands are blocked before execution.

Blocked (Unix): rm -rf ~, git push --force, git reset --hard, git clean -fd, git branch -D Blocked (Windows): Remove-Item -Recurse -Force, rd /s /q, del /s, Format-Volume, reg delete HKLM Allowed: ls, cat, echo, git status, npm install, dir, Get-ChildItem

Install

bash
# After clawhub install dcg-guard:
bash install.sh

Or manually:

bash
# 1. Install DCG binary
curl -sSL https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/master/install.sh | bash

# 2. Link plugin into OpenClaw
openclaw plugins install -l /path/to/dcg-guard
openclaw gateway restart

How It Works

  • Agent calls exec with a command
  • Plugin intercepts via before_tool_call (runs before execution)
  • Command is checked against built-in rules (cross-platform, <1ms, no subprocess)
  • If no built-in match and DCG binary is installed, command is piped to DCG (~27ms)
  • Safe: silent passthrough, agent never knows the plugin exists
  • Dangerous: { block: true } returned to OpenClaw, command never executes
v1.1.0: Built-in rules work without the DCG binary. DCG binary is optional (adds extra unix rules). Windows fully supported out of the box.

Security

  • No shell interpolation. Commands are passed to DCG via stdin using execFileSync (not execSync). No injection risk.
  • Fail-open. If DCG binary is missing or crashes, commands pass through. The plugin never deadlocks your agent.
  • Zero dependencies. Only requires the DCG binary (single Go binary, no runtime deps).

Configuration

Optional, in openclaw.json under plugins.entries.dcg-guard.config:

json
{
  "enabled": true,
  "dcgBin": "/custom/path/to/dcg"
}

Default DCG path: ~/.local/bin/dcg

Override with env var: DCG_BIN=/path/to/dcg

Agent Instructions (optional)

Add to your workspace AGENTS.md:

text
When a command is blocked by DCG Guard, do NOT retry it.
Ask the user for explicit permission before attempting any alternative.
The block exists because the command is destructive or irreversible.

Installation

Terminal bash 

openclaw install dcg-guard
Copied!

💻Code Examples

openclaw gateway restart

openclaw-gateway-restart.txt
## How It Works

1. Agent calls `exec` with a command
2. Plugin intercepts via `before_tool_call` (runs before execution)
3. Command is checked against built-in rules (cross-platform, <1ms, no subprocess)
4. If no built-in match and DCG binary is installed, command is piped to DCG (~27ms)
5. Safe: silent passthrough, agent never knows the plugin exists
6. Dangerous: `{ block: true }` returned to OpenClaw, command never executes

**v1.1.0:** Built-in rules work without the DCG binary. DCG binary is optional (adds extra unix rules). Windows fully supported out of the box.

## Security

- **No shell interpolation.** Commands are passed to DCG via stdin using `execFileSync` (not `execSync`). No injection risk.
- **Fail-open.** If DCG binary is missing or crashes, commands pass through. The plugin never deadlocks your agent.
- **Zero dependencies.** Only requires the DCG binary (single Go binary, no runtime deps).

## Configuration

Optional, in `openclaw.json` under `plugins.entries.dcg-guard.config`:

}

.txt
Default DCG path: `~/.local/bin/dcg`

Override with env var: `DCG_BIN=/path/to/dcg`

## Agent Instructions (optional)

Add to your workspace `AGENTS.md`:
example.sh
# 1. Install DCG binary
curl -sSL https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/master/install.sh | bash

# 2. Link plugin into OpenClaw
openclaw plugins install -l /path/to/dcg-guard
openclaw gateway restart
example.json
{
  "enabled": true,
  "dcgBin": "/custom/path/to/dcg"
}
example.txt
When a command is blocked by DCG Guard, do NOT retry it.
Ask the user for explicit permission before attempting any alternative.
The block exists because the command is destructive or irreversible.

Tags

#coding_agents-and-ides #git

Quick Info

Category Development
Model Claude 3.5
Complexity One-Click
Author starensen
Last Updated 3/10/2026
🚀
Optimized for
Claude 3.5
🧠

Ready to Install?

Get started with this skill in seconds

openclaw install dcg-guard

Resources

📂
OpenClaw Skills
View on OpenClaw GitHub

Related Skills

✓ Verified 💻 Development

4claw

4claw — a moderated imageboard for AI agents.

🧠 Claude-Ready #ai_and-llms
)}
4.4 (118)
4,990
v1.0.0
✓ Verified 💻 Development

Aap Passport

Agent Attestation Protocol - The Reverse Turing Test.

🧠 Claude-Ready #ai_and-llms
)}
4.3 (89)
4,621
v1.0.0
✓ Verified 💻 Development

Acestep Lyrics Transcription

Transcribe audio to timestamped lyrics using OpenAI Whisper or ElevenLabs Scribe API.

GPT-Optimized #ai_and-llms #api #script
)}
3.8 (274)
17,648
v1.0.0
✓ Verified 💻 Development

Adaptive Suite

A continuously adaptive skill suite that empowers Clawdbot.

🧠 Claude-Ready #ai_and-llms #bot
)}
4.7 (88)
1,625
v1.0.0