Welcome to Snow CLI! Agentic coding in your terminal.
Sensitive commands are those that may have a significant impact on the system, data, or project when executed. These commands require explicit user confirmation before execution to prevent accidental operations that could lead to data loss or system damage.
Snow CLI has a series of common sensitive command patterns built-in by default and supports users to add custom commands that need protection.
When using AI-driven command line tools, the AI may suggest executing certain destructive commands. The sensitive commands configuration feature can:
- Prevent accidental execution of dangerous commands (such as
rm -rf,git reset --hard, etc.) - Provide users with confirmation opportunities before executing important operations
- Provide customizable command protection mechanisms
- Protect project and data security
Snow CLI protects the following types of commands by default:
rm -rf- Recursive force deletermdir /s- Windows recursive directory deletiondel /f- Windows force delete
git reset --hard- Hard reset (discard all changes)git clean -fd- Delete untracked files and directoriesgit push --force- Force pushgit branch -D- Force delete branchgit rebase- Rebase operationgit checkout- Branch switching (may lose uncommitted changes)
sudo rm- Delete with administrator privilegeschmod -R- Recursively modify file permissionschown -R- Recursively modify file owner
DROP DATABASE- Delete databaseDROP TABLE- Delete tableTRUNCATE- Clear table data
- Start Snow CLI
- Select "Sensitive Commands Configuration" in the main menu
- Enter the sensitive commands configuration interface
The configuration interface displays all configured sensitive commands, including:
- Command pattern (supports regular expressions)
- Command description
- Enabled/disabled status
- Whether it is a system built-in command
Interface features:
- Use
[✓]to mark enabled commands - Use
[ ]to mark disabled commands - Custom commands display
(Custom)marker - Supports scrolling, displaying up to 13 commands at a time
You can enable or disable protection for specific commands as needed.
-
Navigate to Target Command
- Use ↑/↓ arrow keys to move through the command list
- The currently selected command will be highlighted
-
Toggle Enabled Status
- Press Space to toggle the enabled/disabled status of the selected command
- The system will display an operation success message (disappears automatically after 2 seconds)
-
View Command Details
- Below the list displays the description of the currently selected command
- Shows the enabled status of the command
- If it's a custom command, displays
[Custom]marker
In addition to system built-in sensitive commands, you can add your own sensitive command patterns.
-
Enter Add Mode
- Press A key in the command list interface
- Enter "Add Custom Sensitive Command" interface
-
Fill in Command Pattern
- Enter the command to protect in the "Command Pattern" field
- Supports regular expression matching
- Examples:
npm uninstall- Exact match^docker rm- Commands starting with docker rm.*--force.*- Commands containing --force parameter
- Press Enter or Tab to move to the next field
-
Fill in Command Description
- Enter the command description in the "Description" field
- Suggest clearly describing the danger or impact of this command
- Examples:
- "Uninstall npm package"
- "Force delete Docker container"
- "Commands containing force execution parameter"
- Press Enter to submit
-
Complete Addition
- The system validates the input and saves the custom command
- Displays addition success message
- Automatically returns to the command list interface
- Newly added commands are enabled by default
-
Exact Match
git reset --hardOnly matches the exact same command
-
Prefix Match
^npm uninstallMatches all commands starting with "npm uninstall"
-
Contains Match
.*--force.*Matches all commands containing "--force"
-
Multiple Options Match
git (reset|clean|push --force)Matches multiple related git operations
You can delete custom sensitive commands that are no longer needed. Note: System built-in commands cannot be deleted.
-
Select Command to Delete
- Use ↑/↓ arrow keys to select a custom command
- Only commands marked as
(Custom)can be deleted
-
Request Deletion
- Press D key to request deletion
-
Confirm Deletion
- Press D key again to confirm deletion
- Or press ESC to cancel deletion
- Display confirmation message after successful deletion
- Cursor automatically moves to the next command
- System built-in commands cannot be deleted (will not respond to D key)
- Requires double confirmation before deletion to prevent accidental operations
- Deletion operations are irreversible, please operate carefully
If you have made extensive modifications to the configuration, you can reset to the system default configuration with one click.
-
Request Reset
- Press R key in the command list interface
- The system will display a confirmation prompt:
Confirm reset to default configuration? All custom commands will be deleted, press R again to confirm, press ESC to cancel
-
Confirm Reset
- Press R key again to confirm reset
- Or press ESC to cancel reset
- Display confirmation message after successful reset
-
Reset Effects
- Delete all custom commands
- Restore all system built-in commands to enabled status
- Configuration takes effect immediately
- Reset operation will delete all custom commands
- Reset operation is irreversible
- Requires double confirmation before execution
- Suggest recording important custom configurations before resetting
- ↑/↓: Navigate through the command list
- Space: Enable/disable selected command
- A: Add custom sensitive command
- D: Delete custom command (requires double confirmation)
- R: Reset to default configuration (requires double confirmation)
- ESC: Return to main menu or cancel confirmation operation
- Tab: Switch between input fields
- Enter: Confirm input and move to next field (last field submits)
- ESC: Cancel addition and return to list interface
Ensure the following types of commands are protected:
- Delete operations (files, directories, databases)
- Git destructive operations (reset, clean, force push)
- Permission modification operations
- Batch operation commands
- Avoid overly broad matching patterns (like
.*), which may cause all commands to require confirmation - Use precise prefix or keyword matching
- Test regular expressions to ensure they only match expected commands
- Descriptions should explain the command's function and potential risks
- Help you quickly understand the command's impact when confirming
- Example: "Force delete all untracked files, irreversible"
- Regularly check configured sensitive commands
- Delete custom rules that are no longer needed
- Adjust protection scope according to project needs
If using in a team environment:
- Share commonly used custom sensitive command configurations
- Unify team command protection standards
- Train team members to understand the importance of sensitive commands
When the AI suggests executing a command, Snow CLI will:
-
Check if Command Matches Sensitive Pattern
- Iterate through all enabled sensitive command rules
- Use regular expressions to match command content
-
Trigger Confirmation Process
- If the command matches any sensitive pattern
- Pause execution and display confirmation dialog
- Display command content and warning information
-
Wait for User Decision
- User can choose to execute or cancel
- After cancellation, AI receives feedback and may suggest alternatives
- After execution, command runs normally
-
Execute Directly if Not Matched
- If the command does not match any sensitive pattern
- Execute directly without additional confirmation
Q: Does sensitive commands configuration affect all projects?
A: Yes. Sensitive commands configuration is global and applies to all projects using Snow CLI. This ensures consistent security protection.
Q: Can I temporarily disable protection for a specific sensitive command?
A: Yes. Enter the sensitive commands configuration interface, find the corresponding command and press Space to disable it. After completing the operation, it is recommended to re-enable the protection.
Q: Is regular expression matching case-sensitive?
A: This depends on how you write your regular expression. If you need case-insensitive matching, you can use case-insensitive patterns or match both uppercase and lowercase variants simultaneously.
Q: What if I accidentally delete a custom command?
A: Deletion operations are irreversible, but you can re-add the command. It is recommended to record important custom configurations or regularly backup the configuration file.
Q: Can sensitive commands protection completely prevent command execution?
A: No. Sensitive commands protection only provides confirmation prompts; whether to execute is ultimately decided by the user. This is to maintain flexibility while ensuring security.
Q: Can system built-in commands be permanently deleted?
A: No, but you can disable them. If you need to restore them, use the "Reset to Default Configuration" function.
Q: Do I need to restart Snow CLI after adding a custom command?
A: No. Configuration changes take effect immediately and will be applied the next time the AI suggests executing a command.
Sensitive commands configuration is stored in the Snow CLI configuration directory:
- Windows:
%USERPROFILE%\.snow\sensitive-commands.json - macOS/Linux:
~/.snow/sensitive-commands.json
You can directly edit this file for batch configuration, but it is recommended to use the configuration interface to ensure correct formatting.
- Command Injection Mode - Execute commands directly in messages, also protected by sensitive command checks
- Vulnerability Hunting Mode - Professional security analysis feature, also uses sensitive command protection