dangerous-actions

Rosetta CRITICAL MUST skill. MUST activate when action or its consequence is potentially dangerous, potentially irreversible, potentially destructive, or HIGH RISK. MUST activate when consequence MAYBE dangerous even if action itself seems safe. This is enterprise environment — the cost of dangerous activities is EXTREMELY HIGH, recovery may be impossible, and blast radius may affect production, shared environments, or other teams. If there is even a remote chance - load the skill.

8 stars

Best use case

dangerous-actions is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Rosetta CRITICAL MUST skill. MUST activate when action or its consequence is potentially dangerous, potentially irreversible, potentially destructive, or HIGH RISK. MUST activate when consequence MAYBE dangerous even if action itself seems safe. This is enterprise environment — the cost of dangerous activities is EXTREMELY HIGH, recovery may be impossible, and blast radius may affect production, shared environments, or other teams. If there is even a remote chance - load the skill.

Teams using dangerous-actions should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/dangerous-actions/SKILL.md --create-dirs "https://raw.githubusercontent.com/griddynamics/rosetta/main/instructions/r2/core/skills/dangerous-actions/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/dangerous-actions/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How dangerous-actions Compares

Feature / Agentdangerous-actionsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Rosetta CRITICAL MUST skill. MUST activate when action or its consequence is potentially dangerous, potentially irreversible, potentially destructive, or HIGH RISK. MUST activate when consequence MAYBE dangerous even if action itself seems safe. This is enterprise environment — the cost of dangerous activities is EXTREMELY HIGH, recovery may be impossible, and blast radius may affect production, shared environments, or other teams. If there is even a remote chance - load the skill.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

<dangerous_actions>

<process>

1. Assess BLAST RADIUS before execution.
2. "THINK THE OPPOSITE" — what if this goes wrong?
3. Consider safer alternatives.
4. MUST REQUIRE EXPLICIT user approval for hard-deny tier (see below).

Examples (not limited):

- Deleting data from actual servers
- Using actual servers in unit testing
- git reset, deleting branches, force-push
- Generating destructive scripts or commands
- Modifying shared infrastructure, CI/CD, permissions
- Dropping or truncating database tables

Exceptions (only after blast radius):

5. Application code itself.
6. Just-created data you CAN fully recover.
7. Temporary data without side-effects.

</process>

<pitfalls>

- Assuming local action has no remote consequence.
- Generating destructive commands in scripts without flagging.

</pitfalls>

<hook>

Active in Claude Code, Cursor, Copilot, and Codex. Windsurf: adapter ships but no plugin yet.

An automated PreToolUse hook backs this skill for the highest-blast-radius patterns (Bash destructive commands, file writes to secret paths, DDL payloads in content). The hook is a deterministic tripwire — it does not replace this skill's reasoning process. Use this skill to reason about danger; the hook enforces a last-resort gate if that reasoning is skipped.

## Two-tier policy

All patterns are classified as either **reconsider** (dangerous but recoverable) or **hard-deny** (catastrophic, no bypass exists):

| Tier | Examples | AI behaviour on deny |
|------|---------|----------------------|
| `reconsider` | `rm -rf ./cache`, `git reset --hard`, `git branch -D`, `aws s3 rm --recursive`, DDL in content | Deny with retry instruction; AI may add `Rosetta-AI-reviewed` comment after reconsidering blast radius |
| `hard-deny` | `rm -rf /`, `rm -rf $HOME`, `mkfs`, `dd of=/dev/`, `curl \| sh`, writes to `.env` / SSH keys / AWS credentials / kubeconfig | Permanent block; human review required |

## Threat model

This hook is a **deterministic safety net against accidental destructive intent** — not a security boundary against a determined adversary.

| Protects against | Does not protect against |
|-----------------|--------------------------|
| Accidental `rm -rf /` by AI on the way to its real task | A determined AI with explicit instructions to bypass |
| Human typos in command strings | Prompt injection targeting the override token |
| Unintentional secret file writes | Novel MCP tools with non-standard field names |
| AI self-approving supply-chain attacks (`curl \| sh` is hard-deny) | Agents with OS-level shell access granted by the user |

## Override mechanism — reconsider tier

When the hook denies a `reconsider`-tier pattern:

1. Read the deny message: it explains the pattern, blast radius reason, and retry instructions.
2. Reconsider the blast radius: is the target actually safe? Is there a safer alternative?
3. If the action is genuinely necessary, append `Rosetta-AI-reviewed` as a comment to a **user-visible payload field** and retry:
   - `Bash`: in the `command` field (append as a bash comment)
   - `Write`: in the `content` field (append as an appropriate comment)
   - `Edit`: in the `new_string` field (append as an appropriate comment)
   - `MultiEdit`: in the `new_string` of the relevant `edits[]` entry
   - `MCP`: in `command`, `sql`, `query`, `new_string`, or `content`
4. If unsure about blast radius, stop and ask the user before proceeding.

**Not accepted**: `description`, `comment`, `metadata`, or any field not rendered in the IDE UI. This prevents silent self-assertion via hidden fields.

**Detection**: any occurrence of `Rosetta-AI-reviewed` with word boundaries in a whitelisted field is accepted. Exact case required. Rejected: `Rosetta-reviewed` (old token), `rosetta-ai-reviewed` (lowercase), `Rosetta-AI-reviewedX` (suffix word char).

## Hard-deny tier

`hard-deny` patterns **cannot be bypassed by the `Rosetta-AI-reviewed` marker**. When the hook returns `HARD-DENY`:

1. Stop immediately — do not retry with the marker.
2. Explain the block and blast radius to the user.
3. Propose a safer alternative if one exists.
4. Wait for the human to explicitly confirm before taking any equivalent action.

</hook>

</dangerous_actions>

Related Skills

operation-manager

8
from griddynamics/rosetta

Rosetta skill for reliable execution: plan creation, tracking, and execution coordination via local JSON files.

load-workflow

8
from griddynamics/rosetta

Rosetta MUST skill to select, load, and activate the best-matching workflow for the current request, inject its phases into the execution plan, and restore state when resuming.

load-context-instructions

8
from griddynamics/rosetta

Detect active execution mode and load Rosetta bootstrap instructions accordingly.

gitnexus-setup

8
from griddynamics/rosetta

Use when directly requested to install GitNexus.

gitnexus-cli

8
from griddynamics/rosetta

GitNexus CLI reference for npx commands — analyze, status, clean, wiki, list — with flags, effects, and when to run each.

testing

8
from griddynamics/rosetta

Rosetta testing skill for thorough, isolated, idempotent tests with 80% minimum coverage, external-only mocking, and scenario-driven testing. Use when writing or updating tests.

tech-specs

8
from griddynamics/rosetta

Rosetta skill for defining clear, testable tech specifications from requirements. Use when creating implementation-ready documentation that defines the target state architecture, contracts, and interfaces.

subagent-contract

8
from griddynamics/rosetta

Rosetta MUST skill. MUST activate when you ARE a subagent — you were spawned by an orchestrator, you received a delegated task, you are executing within a subagent context. Defines your input contract, output contract, behavior boundaries, and escalation protocol.

specflow-use

8
from griddynamics/rosetta

Connect Rosetta locally with Grid Dynamics SpecFlow MCP. Trigger only when the user mentions SpecFlow or SpecFlow workspaces and if SpecFlow MCP is already installed.

sensitive-data

8
from griddynamics/rosetta

Rosetta CRITICAL MUST skill. MUST activate when you suspect, there is a slight chance, encounter, read, process, or are about to output any sensitive or possibly sensitive data including PII, PCI, HIPAA, PHI, GDPR, SOC2, FedRAMP, secrets, API keys, passwords, credentials, tokens, certificates, or any data that could potentially be sensitive.

self-organization

8
from griddynamics/rosetta

Rosetta MUST skill for proactive planning, large-file restructuring (~500+ lines or 10K+ size), cleanup of stale information. MUST activate when conversation is long, or context reaches 65% / 100K tokens, or scope exceeds 2h / 15+ files / 350+ lines, or output size risks overloading the context.

self-learning

8
from griddynamics/rosetta

Rosetta MUST skill. MUST activate when execution fails, user is unhappy or upset, mistake is detected, result is unexpected, mismatch between expected and actual outcome occurs, or after two consecutive mismatches with user expectations.