These docs track the main branch and may describe unreleased features. The stable documentation lives at docs.docker.com.

Shell Tool

Execute arbitrary shell commands in the user's environment.

Overview

The shell tool allows agents to execute arbitrary shell commands synchronously. This is one of the most powerful tools — it lets agents run builds, install dependencies, query APIs, and interact with the system. Each call runs in a fresh, isolated shell session — no state persists between calls.

Commands have a default 30-second timeout and require user confirmation unless --yolo is used. For servers, watchers, and other long-running commands, add the background_jobs toolset alongside shell.

Configuration

toolsets:
  - type: shell

Options

Property Type Description
env object Environment variables to set for all shell commands
safer boolean Detect destructive shell commands and force confirmation regardless of --yolo or permission rules (see Safer mode). Default false.
sudo_askpass boolean Opt in to prompting for a sudo password (see Sudo support). Default false.

Custom Environment Variables

toolsets:
  - type: shell
    env:
      MY_VAR: "value"
      PATH: "${env.PATH}:/custom/bin"

Safer mode

Set safer: true to enable destructive-command detection for the shell toolset:

toolsets:
  - type: shell
    safer: true

This auto-registers the safer_shell builtin under pre_tool_use with preempt_yolo: true so the entry fires before Decide() / --yolo. Three behaviors:

The verdict cannot be bypassed by --yolo or by a permission_request hook that returns allow — the preempt_yolo lane runs before both. Compound shell (a && b, a; b, a | b) is never matched against the safe allowlist; any destructive segment falls through to ask. The full taxonomy lives in pkg/hooks/builtins/safety_patterns.json.

See examples/shell_safer.yaml for a full example. Under the hood, safer: true is a sugar that appends one entry under hooks.pre_tool_use with preempt_yolo: true; writing the entry by hand achieves the same thing.

Sudo support

By default a shell command has no controlling terminal, so a sudo command that needs a password hangs until it times out (the agent usually gives up and falls back to printing manual instructions).

Set sudo_askpass: true to enable a sudo privilege escalation flow:

toolsets:
  - type: shell
    sudo_askpass: true

When enabled, sudo commands prompt you for your password through the host UI (the input is masked). The password is handed to sudo over a private, per-session socket via the standard SUDO_ASKPASS mechanism — it is never written to the command line, the logs, or stored by the agent.

The bridge environment variables (SUDO_ASKPASS, CAGENT_ASKPASS_SOCKET, CAGENT_ASKPASS_TOKEN) are added only to commands that invoke sudo, but within such a command they are visible to every child process, not just sudo. They carry a socket path and a session token, not the password; the socket lives in a 0700 directory, so only your own user can reach it.

Notes and limitations:

Available Tools

The shell toolset exposes one tool:

Tool Name Description
shell Run a command synchronously and return its combined output when it finishes.

shell parameters

Parameter Type Required Description
cmd string The shell command to execute.
cwd string Working directory to run the command in (default: .).
timeout integer Per-call execution timeout in seconds (default: 30).
Safety

The shell tool gives agents full access to the system shell. Always set max_iterations on agents that use the shell tool to prevent infinite loops. A value of 20–50 is typical for development agents. Use Sandbox Mode for additional isolation.

Tool Confirmation

By default, docker-agent asks for user confirmation before executing shell commands. Use --yolo to auto-approve all tool calls.