docs: documenting jail bypass if shell namespace is used

evilsocket · evilsocket · commit 11a37bafa234 · 2025-03-18T15:04:09.000+01:00
diff --git a/docs/namespaces.md b/docs/namespaces.md
@@ -270,6 +270,9 @@ Simulates the reasoning process at runtime.
 
 Let the agent execute shell commands.
 
+> [!WARNING]
+> Using this tool will bypass the filesystem jail mechanism
+
 <details>
 <summary><b>Show Tools</b></summary>
 
diff --git a/nerve/tools/namespaces/shell.py b/nerve/tools/namespaces/shell.py
@@ -1,5 +1,8 @@
 """
 Let the agent execute shell commands.
+
+> [!WARNING]
+> Using this tool will bypass the filesystem jail mechanism
 """
 
 import subprocess
@@ -11,7 +14,6 @@
 EMOJI = "💻"
 
 
-# TODO: if both filesystem and shell are used, shell can be used to bypass the filesystem jailing system. find a way to either prevent it, or communicate it.
 def shell(
     command: Annotated[str, "The shell command to execute"],
 ) -> str | bytes:
