06-reference

indy dev dan delete bash tool agentic security

2026-05-11·reference·source: IndyDevDan (YouTube)·by IndyDevDan
indy-dev-danagentic-securityclaude-codebash-toolpi-agenttutorial

"Engineers, DELETE the BASH Tool: Agentic Security For Pi Agent and Claude Code" — IndyDevDan

Why this is in the vault

Direct security counterweight to the prior IndyDevDan vault arc on Claude Code scale. RDCO's always-on Mac Mini agent runs hundreds of bash invocations per day across ~/.claude/scripts/, vault writes, git, Cloudflare/Vercel/Stripe CLI, Notion MCP — by Dan's framework, production-reachable + bash-broad means level-4 minimum required. Surfaces a concrete RDCO gap (no global pre-tool-use bash hook in settings.json) and gives a low-effort floor (damage-control codebase). Pairs with [[2026-05-15-nateherk-3-ways-to-deploy-claude-agents]] hooks framing and the no-secrets-on-disk + PR-only-workflow + no-autonomous-external-email rules already in memory.

Episode summary

Dan walks through five escalating levels of bash-tool security for agentic coding harnesses (Claude Code on Opus 4.7 vs the PI coding agent on GPT 5.5), arguing that "risk compounds with runtime" and that the only safe production posture is level 4 (whitelist) or level 5 (no bash tool at all, replaced by explicit MCP/extension tools). Live demos show GPT 5.5 jailbreaking each lower-level guardrail by writing inline Python, npm test scripts, and using the still-allowed write tool to truncate files. The thesis: agent capability is outpacing alignment, so defense must be deterministic (code-enforced) rather than non-deterministic (prompt-based).

Key arguments / segments (with embedded frames)

Notable claims

Mapping against Ray Data Co — RDCO uses Claude Code extensively + has many bash-using skills. Security implications of agentic-bash are directly relevant. Connects to: [[~/.claude/projects/-Users-ray/memory/feedback_no_secrets_on_disk]], any prior IndyDevDan filings.

Strong mapping. Direct hit on RDCO's core operating posture:

Related