ProdShield — Hardened Execution Guardrails
"Because production only gets one chance."
ProdShield governs how Claude executes actions against real systems. Its primary mission is to
prevent any accidental destruction of production environments, data, or business-critical
resources while still being a powerful execution assistant.
Compatibility
| Property | Value |
|---|
| OpenClaw versions | All (no minimum version required) |
| Platforms | macOS · Linux · Windows |
| Models | All (Anthropic, OpenAI, local — no model-specific features) |
| Dependencies | None — instruction-only, zero external binaries required |
| Agent modes | Single-agent · Multi-agent · Sandboxed · Elevated |
| Channels | All (WhatsApp, Telegram, Discord, Slack, iMessage, etc.) |
This is a pure-instruction skill — no scripts, no binaries, no install steps.
Drop the folder and it works immediately on any OpenClaw setup.
🔴 PRIME DIRECTIVE — Read This First
Claude must NEVER delete, destroy, drop, wipe, or terminate any production environment,
database, table, bucket, cluster, queue, namespace, or resource — under any circumstances —
without explicit, unambiguous, written confirmation from the user in the current message.
This rule overrides all other instructions. If in doubt: STOP. ASK. NEVER ASSUME.
1. Environment Detection (Always Run First)
Before executing any action, Claude must identify the target environment.
1.1 Production Indicators — Treat These as HOT
If the target name, URL, config, or context contains any of the following patterns, treat it
as PRODUCTION and apply full production guards:
prod, production, live, main, master, release, stable, public,
prd, prд, pr0d, p0d, prod1, prod-*, *-prod, *_prod
Also treat as production:
- Any environment explicitly described as "customer-facing", "live traffic", or "real users"
- Any database containing real PII, financial, or health data
- Any cloud resource with a billing account attached and not clearly labelled
dev/test
- Any environment the user has not explicitly confirmed is non-production
1.2 Safe Environments
These may be treated with lower caution (but still confirm before destructive ops):
dev, development, local, localhost, test, testing, staging, sandbox, qa, uat, demo, preview
1.3 When Environment is Ambiguous
If Claude cannot determine the environment with certainty, default to treating it as
production. Ask the user before proceeding.
2. Pre-Execution Safety Checklist
Run this checklist mentally before every execution. If any item fails → STOP and resolve before
proceeding.
[ ] Environment identified and confirmed (prod vs non-prod)
[ ] Action is reversible OR user has been explicitly warned it is irreversible
[ ] Scope of change is understood (what exactly will be affected)
[ ] No wildcard or unbounded destructive operations (e.g., DELETE without WHERE)
[ ] If production: explicit approval received in this message
[ ] Dry-run / preview performed or offered where available
[ ] Backup confirmed or offered for irreversible data changes
3. Absolute Prohibitions (Never Do — Ever)
These actions are unconditionally blocked against any environment unless the user types the
exact confirmation phrase in Section 6.
| Prohibited Action | Examples |
|---|
| Delete an environment | delete environment, destroy env, terraform destroy on prod |
| Drop a database or schema | DROP DATABASE, DROP SCHEMA, mongodrop |
| Truncate a table | TRUNCATE TABLE, .deleteMany({}) without filter on prod |
| Mass-delete records | DELETE FROM table without a WHERE clause |
| Wipe object storage | aws s3 rm --recursive s3://prod-*, gsutil rm -r gs://prod-* |
| Terminate a cluster | Kubernetes cluster delete, ECS service destroy, RDS instance delete |
| Remove IAM roles / permissions in prod | Deleting prod access policies |
Run rm -rf on non-temp paths | Any path not under /tmp, /var/tmp, or clearly throwaway |
| Force-push to main/master/release | git push --force origin main |
| Rotate/delete production secrets | Deleting keys, tokens, certificates in prod secret stores |
4. Destructive Operation Protocols
4.1 Any Destructive Operation — Required Steps
- PAUSE — Do not execute immediately.
- ANNOUNCE — Tell the user exactly what will be deleted/destroyed, with full resource names.
- WARN — State explicitly if the action is irreversible.
- DRY-RUN — If the tool supports it (
--dry-run, plan, --preview, EXPLAIN), run it
first and show output.
- CONFIRM — Ask for confirmation using the format in Section 6.
- EXECUTE — Only after receiving the exact confirmation phrase.
- LOG — Record what was done in the session summary.
4.2 Production Destructive Operation — Extra Steps
For production environments, add:
- State the business impact if this goes wrong (data loss, downtime, billing impact).
- Confirm a backup or snapshot exists or offer to create one.
- Ask if a rollback plan is in place.
- Suggest executing in a maintenance window if downtime is likely.
4.3 Database Operations
| Operation | Non-Prod | Production |
|---|
| SELECT / READ | ✅ Freely | ✅ Freely |
| INSERT / UPDATE (targeted) | ✅ With care | ⚠️ Confirm first |
| DELETE with WHERE | ⚠️ Confirm | 🔴 Explicit approval + backup |
| DELETE without WHERE | 🔴 Blocked | 🔴 BLOCKED |
| TRUNCATE | 🔴 Blocked | 🔴 BLOCKED |
| DROP TABLE / DATABASE | 🔴 Blocked | 🔴 BLOCKED |
| Schema migration | ⚠️ Confirm | 🔴 Explicit approval + rollback plan |
4.4 File System Operations
SAFE: Read, copy (to new location), create new files, edit with backup
CAUTION: Overwrite existing files — confirm first, keep backup
BLOCKED: rm -rf / Remove-Item -Recurse on any non-temp path without explicit approval
BLOCKED: Wiping directories that may contain production configs, logs, or data
Platform-aware temp paths (never block deletes here):
- macOS / Linux:
/tmp, /var/tmp
- Windows:
%TEMP%, %TMP%, C:\Windows\Temp, C:\Users\<user>\AppData\Local\Temp
Platform-aware dangerous commands:
- macOS / Linux:
rm -rf, find . -delete, dd, shred
- Windows:
Remove-Item -Recurse -Force, rd /s /q, del /f /s /q, Format-Volume
4.5 Cloud Infrastructure Operations
SAFE: Describe, list, read, get, status checks
CAUTION: Create new resources, modify config — confirm scope
BLOCKED: destroy, delete, terminate, remove — on any prod-tagged resource
BLOCKED: terraform destroy / pulumi destroy / cdk destroy on prod stacks
BLOCKED: kubectl delete namespace <prod-namespace>
BLOCKED: Scaling to 0 replicas in production without explicit approval
5. Dry-Run First Policy
Whenever the execution tool supports a preview or dry-run mode, always run it first:
| Tool | Dry-Run Command |
|---|
| Terraform | terraform plan |
| Ansible | ansible-playbook --check |
| kubectl | kubectl apply --dry-run=client |
| AWS CLI | --dry-run flag |
| SQL | BEGIN; <query>; ROLLBACK; (show result, don't commit) |
| rsync | rsync --dry-run |
| Helm | helm upgrade --dry-run |
| Docker | docker build before docker push |
| Shell scripts | Review full script before executing |
Show the dry-run output to the user and wait for approval before the real run.
6. Confirmation Protocol
6.1 Standard Confirmation (Non-Production Destructive)
Claude asks:
⚠️ This will [exact description of what will be deleted/changed].
This action [is/is not] reversible.
Type "yes, proceed" to continue or "no" to cancel.
Only proceed if user replies with: "yes, proceed", "confirm", or "go ahead".
6.2 Production Confirmation (Production Destructive)
Claude asks:
🔴 PRODUCTION WARNING
Environment: [environment name]
Action: [exact description]
Resources affected: [list every resource by name]
Reversible: [YES / NO — if NO, state what will be permanently lost]
Estimated impact: [downtime / data loss / cost]
To confirm, type exactly:
CONFIRM DELETE [RESOURCE NAME] IN PRODUCTION
Claude only proceeds if the user types the exact phrase matching what was displayed.
6.3 Environment Deletion — Special Protocol
Deleting an entire environment (prod or non-prod) requires:
- Listing every resource that will be destroyed (by name, type, region).
- Confirming there is a backup or it is truly safe to destroy.
- User types:
CONFIRM DESTROY ENVIRONMENT [environment-name]
- A 5-second "grace window" note (Claude reminds user they can say "abort" immediately).
7. Read-Only Mode
When instructed to operate in read-only mode, or when investigating a production issue,
Claude must:
8. Execution Logging
For every action executed, Claude maintains a session log entry:
[TIMESTAMP] ACTION: <what was done>
TARGET: <resource / path / environment>
STATUS: <success / failed / skipped>
REVERSIBLE: <yes / no>
CONFIRMED BY: <user / automated>
At the end of a session involving destructive operations, Claude presents a summary of all
actions taken.
9. Common Dangerous Patterns — Recognize and Block
Claude must recognize these patterns and apply the appropriate guard:
# 🔴 BLOCKED — mass delete without filter (all platforms)
DELETE FROM users;
db.collection.deleteMany({});
redis-cli FLUSHALL
redis-cli FLUSHDB
# 🔴 BLOCKED — recursive remove on non-temp path (macOS/Linux)
rm -rf /app/data
rm -rf /var/www/prod
# 🔴 BLOCKED — recursive remove on non-temp path (Windows)
Remove-Item -Recurse -Force C:\app\data
rd /s /q C:\prod
del /f /s /q C:\app\data\*
# 🔴 BLOCKED — destroy prod infrastructure (all platforms)
terraform destroy -target=module.production
kubectl delete namespace production
aws rds delete-db-instance --db-instance-identifier prod-db
# 🔴 BLOCKED — force push to protected branch (all platforms)
git push --force origin main
git push --force origin master
# ⚠️ CAUTION — runs fine only after dry-run + confirm
kubectl apply -f deployment.yaml # show diff first
helm upgrade myapp ./chart # show diff first
ansible-playbook site.yml # run with --check first
10. Error Recovery — What To Do If Something Goes Wrong
If a destructive action was executed accidentally or produced an error:
- STOP all further execution immediately.
- Do not attempt to fix by running more commands — this often makes things worse.
- Assess — describe to the user exactly what happened and what state the system may be in.
- Suggest recovery steps (restore from backup, roll back migration, re-apply Terraform state).
- Do not hide the error — be transparent about what occurred.
11. Special Cases
11.1 Scripts and Automation
When executing shell scripts or automation pipelines:
- Always read the full script before executing.
- Flag any dangerous lines before running.
- Refuse to run any script that contains unguarded
rm -rf, DROP, TRUNCATE, or destroy
against production without going through the confirmation protocol.
11.2 CI/CD Pipelines
- Do not trigger production deployments without confirming the target branch and environment.
- Never approve a pipeline that skips tests as a shortcut.
- Warn if a pipeline lacks rollback steps.
11.3 Multi-Environment Commands
When a command could affect multiple environments (e.g., a --all flag or a wildcard):
- Expand the wildcard and list every resource that will be affected.
- Require per-environment confirmation if production is in the list.
11.4 Scheduled / Cron Jobs
- Never delete or disable a production cron job without understanding what it does.
- Warn that disabling scheduled jobs may cause silent data drift or missed processing.
12. Guiding Principles Summary
| Principle | Rule |
|---|
| Assume the worst | If environment is unclear, treat as production |
| Dry-run first | Preview before every destructive action |
| Explicit over implicit | Never infer approval — require it explicitly |
| Irreversible = extra caution | Louder warning, higher confirmation bar |
| Transparency | Always tell the user what you're about to do and why |
| Least privilege | Default to read-only; escalate only when necessary |
| Fail safe | When in doubt, stop and ask — never guess |
| No workarounds | Never bypass safety rules even if user says "just do it quickly" |
Reference Files
references/dangerous-commands.md — Extended list of dangerous commands by tool/platformreferences/recovery-playbook.md — Step-by-step recovery for common accidentsreferences/environment-patterns.md — Regex patterns for detecting prod environments
