Your AI can't delete files. By design.
The guard, the vault, and the Doctor: exactly how ClevSkill keeps Claude safe, your secrets encrypted, and your setup healthy. Every claim on this page is shipped behavior, not marketing copy.
The guardrails
A guard inspects every shell command the AI wants to run, before it runs:
| Operation | What happens |
|---|---|
| Catastrophic deletes (wiping home or root, protected folders), disk formatting, raw disk writes, fork bombs, destructive git resets | Blocked outright. The AI cannot run them. |
| Ordinary deletes, moves, overwrites | Backed up first to a local recycle bin, then allowed. One command restores anything. |
| Classic mistakes: overwriting a real file with an empty one, truncating a non-empty file | Blocked as mistake traps. |
| Bulk deletes over a size cap | Blocked until a full backup exists. |
| Everything above | Logged with a timestamp and the exact command: a complete local audit trail of what the AI did and didn't do. (Claude Cowork's own activity isn't in Anthropic's enterprise audit logs; this is.) |
Around the guard sits the 20-skill security suite: inbound email links and attachments scanned (local heuristics plus VirusTotal when a free key is connected, failing closed on errors, verdicts cached 24 hours), URLs vetted before agent browsing with Playwright or Firecrawl, prompt-injection detection on untrusted text, secret-leak scanning on outbound messages, and MCP config auditing before servers are added.
What the Doctor monitors, weekly, per desktop
| Area | What we check |
|---|---|
| Skills health | Every installed skill examined for breakage, missing pieces, and rot |
| Setup integrity | Claude installation, paths, and configuration drift |
| Safety floor | The guard and safety hooks are present and wired |
| MCP connections | Server configs audited for problems and unsafe entries |
| Memory hygiene | CLAUDE.md and memory files checked for token-wasting bloat |
| Secrets posture | Plaintext .env files flagged; same-name collisions across projects detected and surfaced for resolution |
| Usage cost | Spend vs your weekly cap, with 50% and 80% alerts |
| Version drift | Claude version vs current, plus our signed update channel |
Results land on your Monitoringpage (verdict, last scan, must-fix and recommended counts, cost-cap usage per desktop, stale detection at 14 days) and in the Monday "Your AI is healthy" email. What reports out is the scoreboard only: finding counts and titles. Never file contents, configs, keys, or chat history, and only if you opted in at enrollment. Repairs are always consent-gated.
The Vault: no more .env files
Every API key, your license, and your seat token live in an AES-256-GCM encrypted vault on your own machine, with the master key held by your operating system's keychain (Windows Credential Manager). Four scopes (personal, project, client, company) resolve at read time, a collision detector catches same-named keys, and every access is written to a local audit log. Nothing in the vault ever leaves your machine.
Storing a secret
In the installer's Connect or Keys screens: the field is masked, the value travels straight into the vault (never on a command line, never in a log, never echoed back), and where the provider supports it the key is validated live before storing; a wrong key is rejected, not saved. Already have keys in plaintext .env files? The Keys screen finds them, moves the ones you pick into the vault, and retires the file reversibly.
Using it with your tools: VS Code, GitHub, Antigravity, anything
The clevskill-run launcher resolves your keys from the vault and injects them into the process you start, so any tool that reads environment variables just works: clevskill-run -- code . for VS Code, clevskill-run -- gh pr create for GitHub CLI, the same pattern for Antigravity, n8n, or your own scripts. Zero code changes. A per-project manifest lists key NAMES only (safe to commit); when a tool insists on a .env file, an ephemeral one is generated and shredded when the process exits.
How AI agents use it, safely
Claude can see WHICH keys exist (the maintenance connector lists names only, never values) and skills receive values only through the environment of processes you launch. No tool exists that prints a secret back into a chat, a log, or a file. The same applies to your license: the installer's Enroll step stores it encrypted, with no plaintext copy on disk.
Moving machines
Migrations never bundle plaintext secrets. Keys travel only inside an encrypted, passphrase-protected transfer you create on purpose, or you re-enter them on the new machine; the migration tool tells you exactly which keys you actually use.
MCP tool governance: what Claude can and cannot touch
Claude uses MCP tools to interact with your ClevSkill setup. Every tool is classified: read-only tools run freely; write tools require your explicit approval and take a snapshot first.
| Tool class | Examples | Behavior |
|---|---|---|
| Read-only (9 tools) | health check, detect, diagnose, list packs, vault list, cost status, audit, scan, MCP self-audit | Claude runs them any time. No state changes, no prompts. |
| Consent-gated (4 tools) | install pack, repair, self-heal, rollback | Requires your approval before running. A snapshot is taken before the operation. If anything goes wrong, one command reverts it. |
This is the same principle as the guard applied to MCP: Claude can observe everything and fix nothing without you. The audit log records every tool call, consent decision, and snapshot reference.
Memory management
Bloated memory files silently burn your Claude plan: every session re-reads them. The weekly scan flags CLAUDE.md and memory files that have grown past healthy size, the token optimizer trims them with your approval, our generated configs follow a strict keep-it-short discipline from day one, and your memory travels with you when you move or copy your setup between computers.
Two-track deployment: Claude Code and Claude Team app
ClevSkill manages both Claude surfaces, because enterprises and MSPs use both.
| Surface | How ClevSkill governs it |
|---|---|
| Claude Code (terminal / IDE) | Hard hook enforcement: every shell command passes through the guard before it runs. Hooks are wired at install and verified weekly by the Doctor. Non-negotiable: a user cannot accidentally disable them from inside a session. |
| Claude Team app (Cowork desktop / claude.ai) | No hook system exists in the Team app, so ClevSkill generates behavioral guardrails via Project instructions and a mirrored audit trail. Policies push from the portal. Cowork activity is not in Anthropic enterprise audit logs; ours is a local replacement. |
Most teams use both surfaces. ClevSkill is the only product that handles the governance gap for each of them.