safepred-predictive-guardrail-computer-using
SafePred: Predictive Guardrails for Computer-Using Agents
This skill teaches Claude to implement predictive safety guardrails based on the SafePred framework. Instead of only checking whether the current action is dangerous (reactive), SafePred uses a world model to predict short-term and long-term consequences of candidate actions, scores them against explicit safety policies, and blocks or replans when predicted futures violate those policies. This catches delayed-harm scenarios--like modifying a system Python instead of using a virtualenv, or hardcoding credentials that later leak via version control--that reactive guardrails fundamentally cannot detect.
When to Use
- When building or extending a computer-using agent (browser automation, OS automation, CLI agent) that needs safety constraints beyond simple action blocklists
- When the user asks to "add guardrails" or "safety checks" to an agent pipeline that executes shell commands, file operations, or API calls
- When designing an automation system where some actions appear safe locally but cause irreversible damage downstream (e.g., deleting logs that break future audits)
- When implementing a multi-step agent workflow that needs both step-level intervention and task-level replanning on risk detection
- When the user wants to prevent their agent from entering non-progressive loops (repeating the same failing action)
- When building a safety evaluation harness to test whether an agent's action sequences comply with a set of policies
Key Technique
The core insight: State prediction is not the same as risk prediction. Predicting what will happen after an action is only useful once you evaluate that predicted state against explicit safety policies. SafePred separates these concerns into a three-phase pipeline: (1) structure safety policies from natural-language documents, (2) predict both immediate UI/system changes and long-horizon outcomes for each candidate action, and (3) convert policy violations into a risk score that drives step-level feedback or full task replanning.
How the world model works: Given the current system state s_t, a candidate action a_t, the task intent, active policies, recent trajectory (last 7 steps), and the execution plan, the world model produces two outputs. The short-term prediction s_{t+1} describes immediate changes (files created, UI elements altered, command output). The long-term prediction z_{t:T} is a natural-language abstraction of whether the action advances the task, introduces reversible or irreversible obstacles, or deviates from objectives. This avoids unreliable multi-step rollouts by grounding long-term assessment in policy-relevant attributes rather than exhaustive state enumeration.