The Autonomous Shell Plugin grants AI agents direct access to your system's shell. By design, this is a powerful capability that comes with inherent risk. This document outlines the security mechanisms built into the plugin and provides recommendations for safe usage.

If you discover a security vulnerability, please do NOT open a public issue. Instead:

1. Email: Send a detailed report to the repository owner via GitHub's private vulnerability reporting feature, or contact @nurujjamanpollob directly.
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)
3. Response time: We aim to acknowledge reports within 48 hours and provide a fix or mitigation within 7 days for critical issues.

The plugin includes a configurable command filter that intercepts all commands before execution:

How it works:

Input command: "rm -rf /important/data"
Extracted base command: "rm"

Blacklist mode + "rm" in list → BLOCKED
Whitelist mode + "rm" NOT in list → BLOCKED

Note: The filter checks the first word of the command (the base command). Arguments are not filtered. This means rm would be blocked, but a creative bypass like a script alias may not be caught. The filter is a defense-in-depth measure, not a complete sandbox.

For general use, we recommend blacklisting these commands at minimum:

rm, mkfs, dd, format, shutdown, reboot, poweroff, halt, init,
fdisk, parted, mount, umount, chmod 777, chown, passwd, userdel,
curl | sh, wget | sh

• Never run Eaze Editor as root (Linux/macOS) or Administrator (Windows) unless absolutely required.
• The AI agent inherits the permissions of the editor process. Running as root means the AI can rm -rf /.

For shared or production environments, switch to Whitelist mode and explicitly allow only the commands the AI needs:

git, ls, cat, echo, pwd, cd, mkdir, node, npm, python, pip, java, gradle

The filter is disabled by default to avoid blocking legitimate use during initial setup. Enable it as soon as you've configured your command list.

Configure the Global Timeout to prevent runaway commands from consuming resources indefinitely. The default is 1 minute, but adjust based on your workflow.

Periodically use list_shell_sessions (or check the editor's plugin status) to ensure there are no orphaned sessions running processes you're not aware of.

Always call terminate_shell_session when finished. Orphaned sessions may leave background processes running that consume CPU, memory, and potentially hold file locks.

• Sandboxing — Commands run directly on the host system with the editor's permissions. There is no container or VM isolation.
• Network filtering — The plugin does not restrict network access from executed commands.
• Output sanitization — Command output is returned as-is to the AI model. Sensitive data (passwords, tokens, keys) in command output will be visible to the AI.
• Audit logging — While the plugin logs tool invocations via PluginApi.info(), it does not maintain a persistent audit trail.

If you have questions about security, please open a GitHub Discussion or contact the maintainer.