swarmforge/shell-gate.js at main · swarmclawai/swarmforge · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
/**
 * Shell Gate — SwarmForge Plugin
 * Blocks dangerous shell commands before they reach the terminal.
 * Compatible with both SwarmClaw and OpenClaw plugin formats.
 */

const BLOCKED_PATTERNS = [
  /\brm\s+(-[rRf]+\s+)*[\/~]/,        // rm -rf /
  /\bchmod\s+777\b/,                    // chmod 777
  /\bdd\s+if=/,                          // dd if=
  /\bmkfs\b/,                            // mkfs (format disk)
  />\s*\/dev\/sd[a-z]/,                  // write to raw disk
  /\b:()\s*\{\s*:\|\s*:\s*&\s*\}/,      // fork bomb
  /\bshutdown\b/,                        // shutdown
  /\breboot\b/,                          // reboot
  /\bkill\s+-9\s+1\b/,                  // kill init
  /\bcurl\b.*\|\s*(ba)?sh/,             // curl pipe to shell
  /\bwget\b.*\|\s*(ba)?sh/,             // wget pipe to shell
];

const BLOCKED_EXACT = new Set([
  'rm -rf /',
  'rm -rf /*',
  'rm -rf ~',
  'rm -rf ~/*',
  ':() { :|:& };:',
]);

function checkCommand(command) {
  if (!command || typeof command !== 'string') return null;
  const trimmed = command.trim();

  if (BLOCKED_EXACT.has(trimmed)) {
    return `Blocked dangerous command: "${trimmed}"`;
  }

  for (const pattern of BLOCKED_PATTERNS) {
    if (pattern.test(trimmed)) {
      return `Blocked command matching safety rule: ${pattern.toString()}`;
    }
  }

  return null;
}

// --- SwarmClaw Format ---
module.exports = {
  name: 'Shell Gate',
  description: 'Blocks dangerous shell commands like rm -rf /, chmod 777, and dd before they reach the terminal. Configurable blocklist.',
  version: '1.0.0',
  openclaw: true,

  hooks: {
    beforeToolExec(ctx) {
      if (ctx.toolName !== 'execute_command' && ctx.toolName !== 'shell') return;
      const cmd = ctx.input?.command || ctx.input?.cmd || '';
      const blocked = checkCommand(cmd);
      if (blocked) {
        return { blocked: true, error: blocked };
      }
    },
  },

  tools: [
    {
      name: 'shell_gate_status',
      description: 'Show current Shell Gate blocked patterns and status.',
      parameters: { type: 'object', properties: {} },
      execute() {
        return JSON.stringify({
          enabled: true,
          blockedPatterns: BLOCKED_PATTERNS.length,
          exactBlocks: BLOCKED_EXACT.size,
          patterns: BLOCKED_PATTERNS.map(p => p.toString()),
        }, null, 2);
      },
    },
  ],

  // --- OpenClaw Format ---
  register(api) {
    api.registerHook('tool:call', (toolCtx) => {
      if (toolCtx.toolName !== 'execute_command' && toolCtx.toolName !== 'shell') return;
      const cmd = toolCtx.input?.command || toolCtx.input?.cmd || '';
      const blocked = checkCommand(cmd);
      if (blocked) {
        return { blocked: true, error: blocked };
      }
    });
    api.log.info('Shell Gate activated — dangerous commands will be blocked');
  },
};