CmdGuard

block dangerous shell commands before your AI agent runs them

npx -y github:Isco0819/cmdguard

Ever run into this?

ShellCheck has 35k+ GitHub stars and is the gold standard for shell script safety, but there is no MCP-native layer that intercepts raw shell strings before an AI agent executes them. Agents confidently run rm -rf, curl | bash, or unbounded loops undetected until damage is done. Nothing gates shell execution inside the agent loop today.

The fix

CmdGuard is an MCP server that wraps any shell-execution tool call, runs the command string through ShellCheck plus a configurable JSON rule set, and returns a SAFE/WARN/BLOCK verdict with reasons before the agent proceeds.

What it does

npx -y github:Isco0819/cmdguard