core/org.llm4s/org.llm4s.toolapi/org.llm4s.toolapi.builtin/org.llm4s.toolapi.builtin.shell/ShellTool

ShellTool

org.llm4s.toolapi.builtin.shell.ShellTool

Tool for executing shell commands under a strict allowlist.

IMPORTANT: This tool requires an explicit allowlist of commands for safety. It will not execute any command whose first token is not in the allowlist.

== Execution model ==

Commands are tokenized with shell-style quoting (see CommandTokenizer) and executed directly via ProcessBuilder '''without invoking a shell'''. As a consequence:

No glob expansion (*, ?, [abc] are passed literally to the program).
No variable substitution ($VAR, ${VAR}, $(...), backticks).
No command chaining or redirection (&&, ;, |, <, >, &).
Quoted arguments are honoured: echo "hello world" runs echo with one argument hello world, not two.

Combined with the allowlist, this means LLM-supplied input that contains shell metacharacters cannot escape into a shell — characters such as && survive tokenization as literal argument bytes and are handed to the allowlisted program, which generally treats them as harmless input.

== Features ==

Command allowlist for security
Configurable working directory
Timeout support
Output size limits

Attributes

Example

{
import org.llm4s.toolapi.builtin.shell._
// Read-only shell (safe commands)
val readOnlyShell = ShellTool.create(ShellConfig.readOnly())
// Development shell (common dev tools)
val devShell = ShellTool.create(ShellConfig.development(
 workingDirectory = Some("/home/user/project")
))
val tools = new ToolRegistry(Seq(devShell))
agent.run("List files in the current directory", tools)

}

Graph

Supertypes

class Object

trait Matchable

class Any

Self type

ShellTool.type

Members list

Value members

Concrete methods

Create a shell tool with the given configuration, returning a Result for safe error handling.

Value parameters

config: Shell configuration with required allowedCommands

Attributes

In this article

Generated with