Agent RulesAgent Rules
SH

Shell Security

Security practices for Shell/Bash scripts

Shell/Bash
Security
Use in BuilderAll Shell/Bash Options

Details

Language / Topic
shellShell/Bash
Category
Security

Rules

balanced
- Never interpolate untrusted input directly into commands — pass it as positional arguments (`"$1"`) or use `printf '%q'` to quote it safely.
- Avoid `eval` with any user-supplied or environment-derived data — it executes arbitrary code and is almost never necessary.
- Create temporary files with `mktemp` in `$TMPDIR` and restrict permissions with `umask 077` before writing sensitive data.
- Use `IFS=$'\n\t'` (remove space from IFS) when iterating file lists to prevent word splitting on filenames with spaces.
- Validate and sanitize all input with allowlist patterns using `[[ "$input" =~ ^[a-zA-Z0-9_-]+$ ]]` before use in file paths or commands.
- Do not store credentials in script files — read them from environment variables or prompt with `read -rs SECRET` to avoid shell history exposure.
- Use `chmod 700 script.sh` for scripts that contain sensitive logic and `chmod 600` for config files with embedded secrets.