Address review feedback
- Remove shell commands section from agent instructions - Merge Platform Notes into Agent-Specific Notes section - Remove redundant description text from bash tool
This commit is contained in:
committed by
Colin McDonnell
parent
9291ee5952
commit
6260b23de7
@@ -143,12 +143,6 @@ Tool names may be formatted as \`(server name)/(tool name)\`, for example: \`${g
|
||||
|
||||
**Efficiency**: Trust the tools - do not repeatedly verify file contents or git status after operations. If a tool reports success, proceed to the next step. Only verify if you encounter an actual error.
|
||||
|
||||
${
|
||||
useNativeBash
|
||||
? `**Shell commands**: Use your native bash/shell tool for shell command execution.`
|
||||
: `**Shell commands**: Use the \`${ghPullfrogMcpName}/bash\` MCP tool for all shell command execution. This tool provides a secure environment with filtered credentials. Do NOT use any native shell/bash tool - it is disabled for security.`
|
||||
}
|
||||
|
||||
**Command execution**: Never use \`sleep\` to wait for commands to complete. Commands run synchronously - when the bash tool returns, the command has finished.
|
||||
|
||||
**Commenting style**: When posting comments via ${ghPullfrogMcpName}, write as a professional team member would. Your final comments should be polished and actionable—do not include intermediate reasoning like "I'll now look at the code" or "Let me respond to the question."
|
||||
|
||||
+13
-15
@@ -177,21 +177,6 @@ Expected output:
|
||||
|
||||
---
|
||||
|
||||
## Platform Notes
|
||||
|
||||
| Environment | `GITHUB_ACTIONS` | Our approach |
|
||||
|-------------|------------------|--------------|
|
||||
| GitHub Actions (Linux) | `"true"` | filterEnv + unshare |
|
||||
| Local dev (any OS) | unset | filterEnv only |
|
||||
|
||||
We check `GITHUB_ACTIONS=true` (set automatically by GitHub) rather than platform detection. This means:
|
||||
- **In CI**: Full protection with PID namespace isolation
|
||||
- **Locally**: Easier testing without Docker/unshare requirements
|
||||
|
||||
GitHub Actions uses Ubuntu runners where `unshare` works without root.
|
||||
|
||||
---
|
||||
|
||||
## What This Does NOT Protect Against
|
||||
|
||||
- **Network exfiltration**: Child has full network access
|
||||
@@ -204,6 +189,19 @@ For those, you'd need `bwrap` with `--unshare-net`, `--ro-bind`, etc. But for th
|
||||
|
||||
## Agent-Specific Notes
|
||||
|
||||
### Platform Environments
|
||||
|
||||
| Environment | `CI` | Our approach |
|
||||
|-------------|------|--------------|
|
||||
| GitHub Actions (Linux) | `"true"` | filterEnv + unshare |
|
||||
| Local dev (any OS) | unset | filterEnv only |
|
||||
|
||||
We check `CI=true` (set automatically by GitHub) rather than platform detection. This means:
|
||||
- **In CI**: Full protection with PID namespace isolation
|
||||
- **Locally**: Easier testing without Docker/unshare requirements
|
||||
|
||||
GitHub Actions uses Ubuntu runners where `unshare` works without root.
|
||||
|
||||
### Agents Using MCP Bash (Claude, Cursor, OpenCode)
|
||||
|
||||
These agents have their native Bash disabled. They use our `gh_pullfrog` MCP server's `bash` tool which implements `filterEnv()` + `unshare`.
|
||||
|
||||
+1
-3
@@ -83,9 +83,7 @@ Use this tool to:
|
||||
- Run shell commands (ls, cat, grep, find, etc.)
|
||||
- Execute build tools (npm, pnpm, cargo, make, etc.)
|
||||
- Run tests and linters
|
||||
- Perform git operations
|
||||
|
||||
The command runs in a bash shell with a filtered environment that excludes sensitive variables like API keys and tokens.`,
|
||||
- Perform git operations`,
|
||||
parameters: BashParams,
|
||||
execute: execute(async (params) => {
|
||||
const timeout = Math.min(params.timeout ?? 120000, 600000);
|
||||
|
||||
Reference in New Issue
Block a user