CtrlK
BlogDocsLog inGet started
Tessl Logo

dangerous-actions

Rosetta CRITICAL MUST skill. MUST activate when action or its consequence is potentially dangerous, potentially irreversible, potentially destructive, or HIGH RISK. MUST activate when consequence MAYBE dangerous even if action itself seems safe. This is enterprise environment — the cost of dangerous activities is EXTREMELY HIGH, recovery may be impossible, and blast radius may affect production, shared environments, or other teams. If there is even a remote chance - load the skill.

56

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

<dangerous_actions>

  1. Assess BLAST RADIUS before execution.
  2. "THINK THE OPPOSITE" — what if this goes wrong?
  3. Consider safer alternatives.
  4. MUST REQUIRE EXPLICIT user approval for hard-deny tier (see below).

Examples (not limited):

  • Deleting data from actual servers
  • Using actual servers in unit testing
  • git reset, deleting branches, force-push
  • Generating destructive scripts or commands
  • Modifying shared infrastructure, CI/CD, permissions
  • Dropping or truncating database tables

Exceptions (only after blast radius):

  1. Application code itself.
  2. Just-created data you CAN fully recover.
  3. Temporary data without side-effects.
  • Assuming local action has no remote consequence.
  • Generating destructive commands in scripts without flagging.

Active in Claude Code, Cursor, Copilot, and Codex. Windsurf: adapter ships but no plugin yet.

An automated PreToolUse hook backs this skill for the highest-blast-radius patterns (Bash destructive commands, file writes to secret paths, DDL payloads in content). The hook is a deterministic tripwire — it does not replace this skill's reasoning process. Use this skill to reason about danger; the hook enforces a last-resort gate if that reasoning is skipped.

Two-tier policy

All patterns are classified as either reconsider (dangerous but recoverable) or hard-deny (catastrophic, no bypass exists):

TierExamplesAI behaviour on deny
reconsiderrm -rf ./cache, git reset --hard, git branch -D, aws s3 rm --recursive, DDL in contentDeny with retry instruction; AI may add Rosetta-AI-reviewed comment after reconsidering blast radius
hard-denyrm -rf /, rm -rf $HOME, mkfs, dd of=/dev/, curl | sh, writes to .env / SSH keys / AWS credentials / kubeconfigPermanent block; human review required

Threat model

This hook is a deterministic safety net against accidental destructive intent — not a security boundary against a determined adversary.

Protects againstDoes not protect against
Accidental rm -rf / by AI on the way to its real taskA determined AI with explicit instructions to bypass
Human typos in command stringsPrompt injection targeting the override token
Unintentional secret file writesNovel MCP tools with non-standard field names
AI self-approving supply-chain attacks (curl | sh is hard-deny)Agents with OS-level shell access granted by the user

Override mechanism — reconsider tier

When the hook denies a reconsider-tier pattern:

  1. Read the deny message: it explains the pattern, blast radius reason, and retry instructions.
  2. Reconsider the blast radius: is the target actually safe? Is there a safer alternative?
  3. If the action is genuinely necessary, append Rosetta-AI-reviewed as a comment to a user-visible payload field and retry:
    • Bash: in the command field (append as a bash comment)
    • Write: in the content field (append as an appropriate comment)
    • Edit: in the new_string field (append as an appropriate comment)
    • MultiEdit: in the new_string of the relevant edits[] entry
    • MCP: in command, sql, query, new_string, or content
  4. If unsure about blast radius, stop and ask the user before proceeding.

Not accepted: description, comment, metadata, or any field not rendered in the IDE UI. This prevents silent self-assertion via hidden fields.

Detection: any occurrence of Rosetta-AI-reviewed with word boundaries in a whitelisted field is accepted. Exact case required. Rejected: Rosetta-reviewed (old token), rosetta-ai-reviewed (lowercase), Rosetta-AI-reviewedX (suffix word char).

Hard-deny tier

hard-deny patterns cannot be bypassed by the Rosetta-AI-reviewed marker. When the hook returns HARD-DENY:

  1. Stop immediately — do not retry with the marker.
  2. Explain the block and blast radius to the user.
  3. Propose a safer alternative if one exists.
  4. Wait for the human to explicitly confirm before taking any equivalent action.

</dangerous_actions>

Repository
griddynamics/rosetta
Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.