Module●Since v0.3

local_shell

LocalShellBackend: Filesystem backend with unrestricted local shell execution.

This backend extends FilesystemBackend to add shell command execution on the local host system. It provides NO sandboxing or isolation - all operations run directly on the host machine with full system access.

Attributes

attribute

DEFAULT_EXECUTE_TIMEOUT: int

Default timeout in seconds for shell command execution.

Classes

class

FilesystemBackend

Backend that reads and writes files directly from the filesystem.

Files are accessed using their actual filesystem paths. Relative paths are resolved relative to the current working directory. Content is read/written as plain text, and metadata (timestamps) are derived from filesystem stats.

Security Warning

This backend grants agents direct filesystem read/write access. Use with caution and only in appropriate environments.

Appropriate use cases:

Local development CLIs (coding assistants, development tools)
CI/CD pipelines (see security considerations below)

Inappropriate use cases:

Web servers or HTTP APIs - use StateBackend, StoreBackend, or SandboxBackend instead

Security risks:

Agents can read any accessible file, including secrets (API keys, credentials, .env files)
Combined with network tools, secrets may be exfiltrated via SSRF attacks
File modifications are permanent and irreversible

Recommended safeguards:

Enable Human-in-the-Loop (HITL) middleware to review sensitive operations
Exclude secrets from accessible filesystem paths (especially in CI/CD)
For production environments, prefer StateBackend, StoreBackend or SandboxBackend

In general, we expect this backend to be used with Human-in-the-Loop (HITL) middleware, or within a properly sandboxed environment if you need to run untrusted workloads.

Note

virtual_mode=True is primarily for virtual path semantics (for example with CompositeBackend). It can also provide path-based guardrails by blocking traversal (.., ~) and absolute paths outside root_dir, but it does not provide sandboxing or process isolation. The default (virtual_mode=False) provides no security even with root_dir set.

class

ExecuteResponse

Result of code execution.

Simplified schema optimized for LLM consumption.

class

SandboxBackendProtocol

Extension of BackendProtocol that adds shell command execution.

Designed for backends running in isolated environments (containers, VMs, remote hosts).

Adds execute()/aexecute() for shell commands and an id property.

See BaseSandbox for a base class that implements all inherited file operations by delegating to execute().

class

LocalShellBackend

Filesystem backend with unrestricted local shell command execution.

This backend extends FilesystemBackend to add shell command execution capabilities. Commands are executed directly on the host system without any sandboxing, process isolation, or security restrictions.

Security Warning

This backend grants agents BOTH direct filesystem access AND unrestricted shell execution on your local machine. Use with extreme caution and only in appropriate environments.

Appropriate use cases:

Local development CLIs (coding assistants, development tools)
Personal development environments where you trust the agent's code
CI/CD pipelines with proper secret management (see security considerations)

Inappropriate use cases:

Production environments (e.g., web servers, APIs, multi-tenant systems)
Processing untrusted user input or executing untrusted code

Use StateBackend, StoreBackend, or extend BaseSandbox for production.

Security risks:

Agents can execute arbitrary shell commands with your user's permissions
Agents can read any accessible file, including secrets (API keys, credentials, .env files, SSH keys, etc.)
Combined with network tools, secrets may be exfiltrated via SSRF attacks
File modifications and command execution are permanent and irreversible
Agents can install packages, modify system files, spawn processes, etc.
No process isolation - commands run directly on your host system
No resource limits - commands can consume unlimited CPU, memory, disk

Recommended safeguards:

Since shell access is unrestricted and can bypass filesystem restrictions:

Enable Human-in-the-Loop (HITL) middleware to review and approve ALL operations before execution. This is STRONGLY RECOMMENDED as your primary safeguard when using this backend.
Run in dedicated development environments only - never on shared or production systems
Never expose to untrusted users or allow execution of untrusted code
For production environments requiring code execution, extend BaseSandbox to create a properly isolated backend (Docker containers, VMs, or other sandboxed execution environments)

Note

virtual_mode=True and path-based restrictions provide NO security with shell access enabled, since commands can access any path on the system

View source on GitHub

local_shell

Attributes

Classes

LangChain Assistant

Menu

local_shell

Attributes

Classes