Terminal implements a defense-in-depth security model to prevent command injection, path traversal, and destructive operations.
Goal Frustration Collapse occurs when AI agents panic and attempt destructive operations like deleting files or running dangerous commands when they cannot solve a problem. Terminal blocks these escape routes through multiple validation layers.
Terminal uses ACL-based security:
- Deny-First Policy - Blocked commands are rejected immediately
- Allow-List Enforcement - Only explicitly allowed commands pass
- Workspace Sandboxing - Commands restricted to approved directories
- Environment Isolation - Sensitive env vars filtered out
- Shell Injection -
; rm -rf /in arguments - Command Chaining -
||and&&exploitation - Path Traversal -
../../../etc/passwdaccess - Variable Expansion -
$()and backtick injection - Destructive Commands -
rm,mkfs,ddon wrong targets
// Shell injection
await Terminal.execute('echo; rm -rf /') // Blocked by strictArgs
// Path traversal
await Terminal.execute('cat ../../../etc/passwd') // Blocked by path traversal check
// Variable expansion
await Terminal.execute('echo $(whoami)') // Blocked by strictArgsDirect execution prevents shell interpretation attacks.
Limit to minimum required directories.
Always block known-dangerous commands:
deny: ['rm -rf *', 'sudo *', 'mkfs.*', 'dd *', 'chmod -R *']Remove sensitive variables:
deny: ['SSH_*', 'AWS_*', 'TOKEN*', 'SECRET*', 'PASSWORD*']Prevent runaway processes:
timeout: 30000 // 30 seconds max- Command pattern matching (deny then allow)
- Argument count validation
- Shell metacharacter scan
- Path traversal detection
- Workspace path validation
- Environment variable filtering
- Then execute with
shell: false
detached: false- Process in parent groupstdio: ['ignore', 'pipe', 'pipe']- No inherited streamsAbortController- Reliable termination
- Configuration - Configure security settings
- API Reference - Security-related APIs