Address review feedback

- Remove shell commands section from agent instructions
- Merge Platform Notes into Agent-Specific Notes section
- Remove redundant description text from bash tool
This commit is contained in:
pullfrog
2026-01-08 20:04:02 +00:00
committed by Colin McDonnell
parent 9291ee5952
commit 6260b23de7
4 changed files with 20 additions and 1233 deletions
-6
View File
@@ -143,12 +143,6 @@ Tool names may be formatted as \`(server name)/(tool name)\`, for example: \`${g
**Efficiency**: Trust the tools - do not repeatedly verify file contents or git status after operations. If a tool reports success, proceed to the next step. Only verify if you encounter an actual error.
${
useNativeBash
? `**Shell commands**: Use your native bash/shell tool for shell command execution.`
: `**Shell commands**: Use the \`${ghPullfrogMcpName}/bash\` MCP tool for all shell command execution. This tool provides a secure environment with filtered credentials. Do NOT use any native shell/bash tool - it is disabled for security.`
}
**Command execution**: Never use \`sleep\` to wait for commands to complete. Commands run synchronously - when the bash tool returns, the command has finished.
**Commenting style**: When posting comments via ${ghPullfrogMcpName}, write as a professional team member would. Your final comments should be polished and actionable—do not include intermediate reasoning like "I'll now look at the code" or "Let me respond to the question."
+13 -15
View File
@@ -177,21 +177,6 @@ Expected output:
---
## Platform Notes
| Environment | `GITHUB_ACTIONS` | Our approach |
|-------------|------------------|--------------|
| GitHub Actions (Linux) | `"true"` | filterEnv + unshare |
| Local dev (any OS) | unset | filterEnv only |
We check `GITHUB_ACTIONS=true` (set automatically by GitHub) rather than platform detection. This means:
- **In CI**: Full protection with PID namespace isolation
- **Locally**: Easier testing without Docker/unshare requirements
GitHub Actions uses Ubuntu runners where `unshare` works without root.
---
## What This Does NOT Protect Against
- **Network exfiltration**: Child has full network access
@@ -204,6 +189,19 @@ For those, you'd need `bwrap` with `--unshare-net`, `--ro-bind`, etc. But for th
## Agent-Specific Notes
### Platform Environments
| Environment | `CI` | Our approach |
|-------------|------|--------------|
| GitHub Actions (Linux) | `"true"` | filterEnv + unshare |
| Local dev (any OS) | unset | filterEnv only |
We check `CI=true` (set automatically by GitHub) rather than platform detection. This means:
- **In CI**: Full protection with PID namespace isolation
- **Locally**: Easier testing without Docker/unshare requirements
GitHub Actions uses Ubuntu runners where `unshare` works without root.
### Agents Using MCP Bash (Claude, Cursor, OpenCode)
These agents have their native Bash disabled. They use our `gh_pullfrog` MCP server's `bash` tool which implements `filterEnv()` + `unshare`.
+6 -1209
View File
File diff suppressed because it is too large Load Diff
+1 -3
View File
@@ -83,9 +83,7 @@ Use this tool to:
- Run shell commands (ls, cat, grep, find, etc.)
- Execute build tools (npm, pnpm, cargo, make, etc.)
- Run tests and linters
- Perform git operations
The command runs in a bash shell with a filtered environment that excludes sensitive variables like API keys and tokens.`,
- Perform git operations`,
parameters: BashParams,
execute: execute(async (params) => {
const timeout = Math.min(params.timeout ?? 120000, 600000);