fireclaw/skills/run_command/run.py

#!/usr/bin/env python3
import subprocess
import sys
import json
import re

DANGEROUS_PATTERNS = [
    (re.compile(r'\brm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?-[a-zA-Z]*r[a-zA-Z]*\s+(/|~|\.)(\s|$)'), "recursive delete of critical path"),
    (re.compile(r'\brm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+)?-[a-zA-Z]*f[a-zA-Z]*\s+(/|~|\.)(\s|$)'), "recursive delete of critical path"),
    (re.compile(r'\bdd\s+if='), "raw disk write (dd)"),
    (re.compile(r'\bmkfs\b'), "filesystem format"),
    (re.compile(r':\(\)\s*\{[^}]*:\s*\|\s*:'), "fork bomb"),
    (re.compile(r'>\s*/dev/[sh]d[a-z]'), "device write"),
    (re.compile(r'\bchmod\s+(-[a-zA-Z]*R[a-zA-Z]*\s+)?777\s+/(\s|$)'), "recursive chmod 777 on /"),
    (re.compile(r'\b(shutdown|reboot|halt|poweroff)\b'), "system shutdown/reboot"),
    (re.compile(r'\bkill\s+-9\s+(-1|1)\b'), "kill init or all processes"),
]


def check_dangerous(cmd):
    for pattern, desc in DANGEROUS_PATTERNS:
        if pattern.search(cmd):
            return desc
    return None


args = json.loads(sys.stdin.read())
command = args.get("command", "")

blocked = check_dangerous(command)
if blocked:
    print(f'[blocked: command matches dangerous pattern "{blocked}". This command was not executed.]')
    sys.exit(0)

try:
    result = subprocess.run(
        ["bash", "-c", command],
        capture_output=True,
        text=True,
        timeout=120,
    )
    output = result.stdout
    if result.stderr:
        output += f"\n[stderr] {result.stderr}"
    if result.returncode != 0:
        output += f"\n[exit code: {result.returncode}]"
    print(output.strip() or "[no output]")
except subprocess.TimeoutExpired:
    print("[command timed out after 120s]")
except Exception as e:
    print(f"[error: {e}]")