shell-command-runner
Public
Forked from cseliot/shell-command-runner
Forked from cseliot/shell-command-runner
#v0.1002
An LM Studio plugin that enables AI models to execute shell commands with comprehensive security controls.
rm -rf /, shutdown, sudo, dd if=/dev/zeroecho hi && sudo is caught)git, npm, ls, cat (comma-separated)..)C:\\ or D:/ style paths, not colons in sed patterns or URLscd {sandboxRoot} commands even if cd is blacklistedcd {sandboxRoot} && ... patterns for chaining commands&& are still validated against the blacklist and whitelist before executionWhen enabled, the plugin validates commands against all security checks but never executes them. Returns:
"COMMAND ALLOWED: The command '...' passes all security checks." if all checks passTest mode works independently of "Allow Automatic Execution" - it runs AFTER security checks complete.
run_shell_commandExecutes shell commands with full security validation.
Parameters:
command (string): The command to executecwd (optional string): Subdirectory to run in (must be inside sandbox)timeout (optional number): Execution timeout in millisecondsReturns: Command output, errors, or security rejection messages
get_whitelistRetrieves current allowed commands configuration.
Parameters: None
Returns: List of whitelisted commands with count, or status if whitelist not active
get_blacklistRetrieves current forbidden commands configuration.
Parameters: None
Returns: List of blacklisted commands with count
| Setting | Type | Default | Description |
|---|---|---|---|
| Operating System | Select | Windows | Target shell: Windows (CMD) or Linux/macOS (Bash) |
| Sandbox / Project Root | String | Empty | Absolute path for sandbox restriction |
| Execution Policy | Select | Allow All | Filter mode: Allow All or Allow Only |
| Allowed Commands | String | Empty | Comma-separated whitelist (Allow Only mode only) |
| Forbidden Commands | String | Empty | Comma-separated blacklist (applies to both modes) |
| Environment PATH Extensions | String | Empty | Additional paths to add to system PATH |
| Timeout (ms) | Numeric | 15000 | Maximum command execution time |
| Allow Automatic Execution | Boolean | false | Master switch for command execution |
| Test Mode (Dry Run) | Boolean | false | Validate without executing |
When Test Mode is enabled:
get_whitelist tool - Retrieves current whitelist configurationget_blacklist tool - Retrieves current blacklist configurationcd {sandboxRoot} exception — chained part still runs through blacklist/whitelistv0.1000 - Initial Updates
v0.1001 - Added "Special cd Command Exception"
v0.1002 - Security fixes (blacklist end-of-chain bypass, cd chained command bypass, drive letter detection via |/&&), fixed .. traversal false positive, fixed silent stderr/timeout, fixed unhandled child process errors, deduplicated result formatting
C:\ or D:/ style paths, not colons in sed replacement patterns (s/old:new/) or strings like "BUILD: SUCCESS". Also extended to detect drive letters after | and && operators.grep with no matches) no longer show error messages; only actual failures (exit codes ≠1) show errors. Exit code comparison now handles string codes (e.g. ENOENT) correctly... traversal false positive - Pattern now only matches .. as a path component (preceded/followed by /, \, whitespace, or string boundary), not as text inside file contents or arguments like sed 's/foo..bar/baz/'.echo hi && sudo are now caught even when the blacklisted token appears at the end of a chained command.cd {sandboxRoot} && <cmd> patterns are now validated against the blacklist and whitelist before execution.npm install warnings).TIMEOUT: message instead of a generic error.ls -la ./project/
# Runs in project/src/ subdirectory
command: "npm run build"
cwd: "project/src"