Documentation Index
Fetch the complete documentation index at: https://mintlify.com/nullclaw/nullclaw/llms.txt
Use this file to discover all available pages before exploring further.
Shell Tool
The shell tool executes shell commands in the workspace directory with comprehensive security controls:
- Command validation against SecurityPolicy
- Environment sanitization to prevent API key leaks
- Working directory control with
cwd parameter
- Timeout enforcement (default: 60 seconds)
- Output limits (default: 1 MB)
Parameters
The shell command to execute
Working directory (absolute path within allowed paths; defaults to workspace)
Configuration
const st = try allocator.create(shell.ShellTool);
st.* = .{
.workspace_dir = "/path/to/workspace",
.allowed_paths = &.{}, // Additional allowed directories
.timeout_ns = 60 * std.time.ns_per_s, // 60 second default
.max_output_bytes = 1_048_576, // 1 MB default
.policy = &security_policy, // Optional SecurityPolicy
};
Usage
Basic Command
{
"tool": "shell",
"command": "ls -la"
}
total 24
drwxr-xr-x 5 user staff 160 Mar 1 12:00 .
drwxr-xr-x 3 user staff 96 Mar 1 11:00 ..
-rw-r--r-- 1 user staff 100 Mar 1 12:00 README.md
drwxr-xr-x 3 user staff 96 Mar 1 11:30 src
Custom Working Directory
{
"tool": "shell",
"command": "pwd",
"cwd": "/workspace/src"
}
Pipeline Commands
{
"tool": "shell",
"command": "git status --short | grep M"
}
M src/main.zig
M src/config.zig
Security Model
SecurityPolicy Validation
When a SecurityPolicy is configured, all commands are validated before execution:
const policy = SecurityPolicy{
.autonomy = .supervised,
.workspace_dir = "/workspace",
.allowed_commands = &.{ "git", "ls", "cat", "grep", "echo", "touch" },
.require_approval_for_medium_risk = true,
.block_high_risk_commands = true,
.tracker = &rate_tracker,
};
- Low risk — Read-only operations (ls, cat, grep, pwd, echo)
- Medium risk — Write operations (touch, mkdir, git add, git commit)
- High risk — Destructive operations (rm -rf, dd, mkfs, iptables, kill)
Policy Actions:
| Risk Level | autonomy=supervised | autonomy=full |
|---|
| Low | Execute | Execute |
| Medium | Require approval* | Execute |
| High | Block** | Require approval |
require_approval_for_medium_risk = true
**If block_high_risk_commands = true
Example: Approval Required
{
"tool": "shell",
"command": "touch test.txt"
}
Command requires approval (medium/high risk): touch test.txt
Example: Blocked Command
{
"tool": "shell",
"command": "rm -rf /"
}
High-risk command blocked by security policy
Allowed Commands Allowlist
When allowed_commands is configured, only listed commands are permitted:
.allowed_commands = &.{ "git", "ls", "cat", "grep" },
{
"tool": "shell",
"command": "rm file.txt"
}
Command not allowed by security policy
Environment Sanitization
The shell tool clears all environment variables by default, then re-adds only safe functional variables:
Safe environment variables:
PATH — Command search pathHOME — User home directoryTERM — Terminal typeLANG, LC_ALL, LC_CTYPE — Locale settingsUSER — UsernameSHELL — Default shellTMPDIR — Temporary directory
Blocked variables:
OPENAI_API_KEYANTHROPIC_API_KEYGEMINI_API_KEY- All other environment variables
This prevents accidental API key leaks via command injection (CWE-200).
Working Directory Control
Default: workspace_dir
By default, commands run in workspace_dir:
{
"tool": "shell",
"command": "pwd"
}
Custom cwd (within workspace)
{
"tool": "shell",
"command": "ls",
"cwd": "/workspace/src"
}
main.zig
config.zig
utils.zig
Custom cwd (outside workspace)
Requires allowed_paths configuration:
st.* = .{
.workspace_dir = "/workspace",
.allowed_paths = &.{
"/data",
"/home/user/projects",
},
};
{
"tool": "shell",
"command": "ls",
"cwd": "/data"
}
{
"tool": "shell",
"command": "ls",
"cwd": "/etc"
}
cwd is outside allowed areas
cwd Validation Rules
cwd must be an absolute pathcwd must be within workspace_dir or allowed_pathscwd is resolved with realpathAlloc() to prevent symlink escapes- Relative
cwd is rejected: “cwd must be an absolute path”
The shell tool uses the platform’s default shell:
| Platform | Shell | Command Format |
|---|
| macOS | /bin/sh | sh -c "command" |
| Linux | /bin/sh | sh -c "command" |
| Windows | cmd.exe | cmd.exe /c "command" |
-c flag (Unix) or /c flag (Windows).
Timeout and Output Limits
Timeout
Commands are terminated after timeout_ns nanoseconds:
.timeout_ns = 60 * std.time.ns_per_s, // 60 seconds
{
"tool": "shell",
"command": "sleep 120"
}
Command terminated by signal
Output Limit
Stdout and stderr are truncated to max_output_bytes:
.max_output_bytes = 1_048_576, // 1 MB
{
"tool": "shell",
"command": "cat /dev/zero | head -c 10M"
}
[Binary output truncated to 1 MB]
Error Handling
Command Failure (Non-Zero Exit Code)
{
"tool": "shell",
"command": "ls /nonexistent"
}
ls: /nonexistent: No such file or directory
ToolResult.success = false
Signal Termination
{
"tool": "shell",
"command": "sleep 1000"
}
Command terminated by signal
Missing Command
{
"tool": "shell",
"command": "nonexistent_program"
}
sh: nonexistent_program: command not found
No Output
If a command succeeds but produces no output:
{
"tool": "shell",
"command": "touch file.txt"
}
Use Cases
Git Operations
{
"tool": "shell",
"command": "git status --short"
}
Build Commands
{
"tool": "shell",
"command": "zig build"
}
File Search
{
"tool": "shell",
"command": "find src -name '*.zig' | wc -l"
}
Testing
{
"tool": "shell",
"command": "zig build test --summary all"
}
System Info
{
"tool": "shell",
"command": "uname -a"
}
Always validate shell commands for security risks. Use SecurityPolicy to enforce safe command patterns.
Source
src/tools/shell.zig:21-117
Testing
Run shell tool tests:
zig build test --summary all
- Basic command execution
- Path validation (cwd)
- Policy enforcement
- Timeout handling
- Output limits
- Error cases