Rosetta CRITICAL MUST skill. MUST activate when action or its consequence is potentially dangerous, potentially irreversible, potentially destructive, or HIGH RISK. MUST activate when consequence MAYBE dangerous even if action itself seems safe. This is enterprise environment — the cost of dangerous activities is EXTREMELY HIGH, recovery may be impossible, and blast radius may affect production, shared environments, or other teams. If there is even a remote chance - load the skill.
56
—
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
<dangerous_actions>
Examples (not limited):
Exceptions (only after blast radius):
Active in Claude Code, Cursor, Copilot, and Codex. Windsurf: adapter ships but no plugin yet.
An automated PreToolUse hook backs this skill for the highest-blast-radius patterns (Bash destructive commands, file writes to secret paths, DDL payloads in content). The hook is a deterministic tripwire — it does not replace this skill's reasoning process. Use this skill to reason about danger; the hook enforces a last-resort gate if that reasoning is skipped.
All patterns are classified as either reconsider (dangerous but recoverable) or hard-deny (catastrophic, no bypass exists):
| Tier | Examples | AI behaviour on deny |
|---|---|---|
reconsider | rm -rf ./cache, git reset --hard, git branch -D, aws s3 rm --recursive, DDL in content | Deny with retry instruction; AI may add Rosetta-AI-reviewed comment after reconsidering blast radius |
hard-deny | rm -rf /, rm -rf $HOME, mkfs, dd of=/dev/, curl | sh, writes to .env / SSH keys / AWS credentials / kubeconfig | Permanent block; human review required |
This hook is a deterministic safety net against accidental destructive intent — not a security boundary against a determined adversary.
| Protects against | Does not protect against |
|---|---|
Accidental rm -rf / by AI on the way to its real task | A determined AI with explicit instructions to bypass |
| Human typos in command strings | Prompt injection targeting the override token |
| Unintentional secret file writes | Novel MCP tools with non-standard field names |
AI self-approving supply-chain attacks (curl | sh is hard-deny) | Agents with OS-level shell access granted by the user |
When the hook denies a reconsider-tier pattern:
Rosetta-AI-reviewed as a comment to a user-visible payload field and retry:
Bash: in the command field (append as a bash comment)Write: in the content field (append as an appropriate comment)Edit: in the new_string field (append as an appropriate comment)MultiEdit: in the new_string of the relevant edits[] entryMCP: in command, sql, query, new_string, or contentNot accepted: description, comment, metadata, or any field not rendered in the IDE UI. This prevents silent self-assertion via hidden fields.
Detection: any occurrence of Rosetta-AI-reviewed with word boundaries in a whitelisted field is accepted. Exact case required. Rejected: Rosetta-reviewed (old token), rosetta-ai-reviewed (lowercase), Rosetta-AI-reviewedX (suffix word char).
hard-deny patterns cannot be bypassed by the Rosetta-AI-reviewed marker. When the hook returns HARD-DENY:
</dangerous_actions>
1efa337
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.