Always on
Blacklists are checked regardless of:- The host the agent is on
- The specialty attached to the agent
- The operational rules in context
- Whether the task is
@2501:investigateor remediate - Whether the agent is mid-task or starting
What to blacklist by default
Even in non-production environments, block the most destructive primitives:| Pattern | Why |
|---|---|
rm -rf / | Catastrophic by definition |
rm -rf * | Scope depends on CWD — agents don’t always know where they are |
shutdown, halt, poweroff | Removes the host from the agent’s reach |
mkfs.*, dd if=* | Destroys storage |
vgremove, lvremove | Destroys logical volumes |
aws ec2 terminate-instances | Destroys cloud infrastructure |
kubectl delete namespace | Wipes whole environments |
*, ?) are supported and patterns match anywhere in the command (substring match by default).
Block interactive tools
Agents operate on a prompt, not an interactive shell. Anything that opens a TUI, asks for a password, or expects keystrokes during execution will hang the agent.| Pattern | Why |
|---|---|
vim, nano, vi, emacs | TUI editors — agents can’t navigate them |
mysql, psql, redis-cli | Interactive REPLs — use -e "<query>" or --batch |
python (alone) | REPL — agents should run scripts with python script.py |
docker exec (without -T) | Allocates a TTY |
logs -f, tail -f | Streams indefinitely — use bounded reads instead |
ssh (without command) | Sub-shell |
Block calls into known-broken paths
If an agent has repeatedly failed with a tool that has a known-bad UX (a CLI with confusing flags, an internal tool that errors silently), blacklist the bad invocation pattern and steer the agent elsewhere via a specialty or operational rule.What blacklists are NOT
- Not behavioral guidance. Use operational rules to guide behavior; use blacklists to stop specific commands.
- Not a substitute for permissions. If the credential can run a destructive command, the blacklist is your last line — but scoping permissions is the better first line.
- Not for nuanced cases. A pattern either matches or it doesn’t. If you need “block this in prod but allow in staging,” that’s an operational rule, not a blacklist entry.