README.md
A tools provider plugin for LM Studio that gives models real filesystem access, a command executor, a JavaScript sandbox, and macOS system controls โ all gated by a persistent local permission system you manage through a Python control panel.
| Tool | Description |
|---|---|
get_current_time | Current local date and time |
get_model_info | Loaded model name, size, params, context length, capabilities |
open_control_panel | Open the permissions GUI (macOS) |
read_file | Read an entire file |
read_file_lines | Read a line range โ efficient for large files |
write_file | Create or overwrite a file (creates parent dirs) |
edit_file | Exact substring find-and-replace โ preferred for code edits |
edit_file_lines | Replace a line range โ returns a unified diff |
list_directory | List a folder, optionally recursive |
create_directory | Create a directory |
delete_path | Delete a file or directory |
move_path | Move or rename |
run_command | Execute a shell command (permission-gated) |
run_javascript | Run JS/TS in a sandboxed Deno runtime (no network, no subprocess) |
media_control | Play/pause/next/previous/volume/mute/status via Now Playing |
get_permissions | Show the current permission policy at runtime |
All access control lives in a single file:
~/.lmstudio-toolkit/permissions.json
The plugin only reads it โ never writes it. Your paths, rules, and custom system prompt never leave your machine and are never included in lms push.
The same tier applies to both files and run_command:
| Tier | Files | Commands |
|---|---|---|
read_write | Full access | Any non-denied command; write-impact args path-checked |
read | Read/list only | Read-only commands: ls, cat, grep, find, โฆ |
deny | Invisible | No commands at all |
More specific path rules take priority over less specific ones:
/projects โ read /projects/myapp โ read_write โ wins for everything inside myapp
python3 control_panel.py # GUI (requires Tkinter)
Tabs:
run_command, allow/deny lists with * wildcard support, system launcher commands (macOS)CLI helpers:
python3 control_panel.py show python3 control_panel.py set-rule /abs/path read_write|read|deny python3 control_panel.py del-rule /abs/path python3 control_panel.py set-default read_write|read|deny python3 control_panel.py enable-commands | disable-commands
On the first message of each conversation the plugin injects:
On every subsequent message it injects only the current time and model name โ keeping context overhead minimal.
Disabled by default. Enable in the control panel.
* wildcards: sudo*, shutdown*, passwd*, mkfs* โ 50+ dangerous patterns blocked by defaultrun_command to specific binaries onlyopen, say, osascript, pbcopy, afplay, โฆ) without requiring a working directoryrm, mv, cp, chmod, โฆ) additionally verify that every path argument is inside a read_write-permitted locationSecurity note:
run_commandwith an interpreter (python3,node,bash) gives the model the same power as that interpreter. The deny list prevents accidental damage but is not a sandbox. Use the allow list if you want strict control over what can run.
Requires nowplaying-cli (macOS only):
brew install nowplaying-cli
Works system-wide with any Now Playing source: browsers, Spotify, Apple Music, etc. No Accessibility permissions required.
Uses the bundled Deno runtime from LM Studio. Runs with:
--deny-net --deny-env --deny-sys --deny-run --deny-ffi~/.lmstudio-toolkit/sandbox/)Good for maths, data transformation, JSON parsing, and algorithms. Not for network requests.
cd agent-toolkit lms dev # development with hot-reload # or lms push # publish to LM Studio Hub
After installing, configure your permissions:
python3 control_panel.py
The plugin fails closed by default โ everything is denied until you grant access.