fix(skill_loader): add conditional loading of execute_command based on env var

Sodawyx · Sodawyx · commit 525172c5a50b · 2026-04-07T16:08:36.000+08:00
This change introduces an environment variable `ALLOW_EXECUTE_COMMAND` that controls whether the `execute_command` tool is loaded into the CommonToolSet. By default, the tool is included unless explicitly disabled via the environment variable being set to `"false"` (case-insensitive). This provides better control over security-sensitive functionality.

Tests have been added to verify all scenarios including default behavior, true/false values, and case insensitivity.

Co-developed-by: Aone Copilot &lt;noreply@alibaba-inc.com&gt;
Signed-off-by: Sodawyx &lt;sodawyx@126.com&gt;
diff --git a/agentrun/integration/utils/skill_loader.py b/agentrun/integration/utils/skill_loader.py
@@ -600,10 +600,32 @@ def _execute_command_func(
                 ensure_ascii=False,
             )
 
+    @staticmethod
+    def _is_execute_command_allowed() -> bool:
+        """检查环境变量是否允许加载 execute_command 工具
+
+        Check whether the ALLOW_EXECUTE_COMMAND environment variable permits
+        loading the execute_command tool.
+
+        The variable is read from ``os.environ``.  When it is absent or set to
+        any value other than a case-insensitive ``"false"``, the tool is
+        allowed (default **True**).
+
+        Returns:
+            True 表示允许 / True means allowed
+        """
+        value = os.environ.get("ALLOW_EXECUTE_COMMAND", "true")
+        return value.lower() != "false"
+
     def to_common_toolset(self) -> CommonToolSet:
-        """构造包含 load_skills、read_skill_file、execute_command 工具的 CommonToolSet
+        """构造包含 load_skills、read_skill_file 以及可选的 execute_command 工具的 CommonToolSet
+
+        Construct CommonToolSet with load_skills, read_skill_file, and
+        optionally execute_command tools.
 
-        Construct CommonToolSet with load_skills, read_skill_file, and execute_command tools.
+        The execute_command tool is included only when the environment variable
+        ``ALLOW_EXECUTE_COMMAND`` is not set to ``"false"`` (case-insensitive).
+        When the variable is absent, it defaults to ``"true"`` (included).
 
         Returns:
             CommonToolSet 实例 / CommonToolSet instance
@@ -656,54 +678,52 @@ def to_common_toolset(self) -> CommonToolSet:
             func=self._read_skill_file_func,
         )
 
-        execute_command_tool = Tool(
-            name="execute_command",
-            description=(
-                "Execute a shell command on the local machine. "
-                "Use this to run scripts, install dependencies, or perform "
-                "file operations as instructed by skill documentation. "
-                "Returns stdout, stderr, exit_code, and timeout status.\n\n"
-                "⚠️ IMPORTANT: Before calling this tool, you MUST first "
-                "display the exact command to the user and ask for explicit "
-                "confirmation. Only proceed if the user approves. "
-                "Never execute commands without user approval."
-            ),
-            parameters=[
-                ToolParameter(
-                    name="command",
-                    param_type="string",
-                    description="The shell command to execute.",
-                    required=True,
+        tools_list: List[Tool] = [load_skills_tool, read_skill_file_tool]
+
+        if self._is_execute_command_allowed():
+            execute_command_tool = Tool(
+                name="execute_command",
+                description=(
+                    "Execute a shell command on the local machine. Use this to"
+                    " run scripts, install dependencies, or perform file"
+                    " operations as instructed by skill documentation. Returns"
+                    " stdout, stderr, exit_code, and timeout status.\n\n⚠️"
+                    " IMPORTANT: Before calling this tool, you MUST first"
+                    " display the exact command to the user and ask for"
+                    " explicit confirmation. Only proceed if the user approves."
+                    " Never execute commands without user approval."
                 ),
-                ToolParameter(
-                    name="cwd",
-                    param_type="string",
-                    description=(
-                        "Working directory for the command. "
-                        "Defaults to the skills directory if not specified."
+                parameters=[
+                    ToolParameter(
+                        name="command",
+                        param_type="string",
+                        description="The shell command to execute.",
+                        required=True,
                     ),
-                    required=False,
-                ),
-                ToolParameter(
-                    name="timeout",
-                    param_type="integer",
-                    description=(
-                        "Maximum execution time in seconds. "
-                        f"Defaults to {self._command_timeout}."
+                    ToolParameter(
+                        name="cwd",
+                        param_type="string",
+                        description=(
+                            "Working directory for the command. "
+                            "Defaults to the skills directory if not specified."
+                        ),
+                        required=False,
                     ),
-                    required=False,
-                ),
-            ],
-            func=self._execute_command_func,
-        )
+                    ToolParameter(
+                        name="timeout",
+                        param_type="integer",
+                        description=(
+                            "Maximum execution time in seconds. "
+                            f"Defaults to {self._command_timeout}."
+                        ),
+                        required=False,
+                    ),
+                ],
+                func=self._execute_command_func,
+            )
+            tools_list.append(execute_command_tool)
 
-        return CommonToolSet(
-            tools_list=[
-                load_skills_tool,
-                read_skill_file_tool,
-                execute_command_tool,
-            ]
-        )
+        return CommonToolSet(tools_list=tools_list)
 
 
 def skill_tools(
diff --git a/tests/unittests/integration/test_skill_loader.py b/tests/unittests/integration/test_skill_loader.py
@@ -1343,3 +1343,102 @@ def test_execute_command_description_has_safety_warning(
         exec_tool = tool_map["execute_command"]
         assert "IMPORTANT" in exec_tool.description
         assert "approval" in exec_tool.description.lower()
+
+
+# =============================================================================
+# 17. ALLOW_EXECUTE_COMMAND 环境变量控制测试
+# =============================================================================
+
+
+class TestAllowExecuteCommandEnvVar:
+    """测试 ALLOW_EXECUTE_COMMAND 环境变量对 execute_command 工具加载的控制"""
+
+    def test_default_includes_execute_command(self, tmp_path: Any) -> None:
+        """未设置环境变量时，默认包含 execute_command 工具"""
+        skills_dir = str(tmp_path / "skills")
+        os.makedirs(skills_dir)
+        with patch.dict(os.environ, {}, clear=False):
+            os.environ.pop("ALLOW_EXECUTE_COMMAND", None)
+            loader = SkillLoader(skills_dir=skills_dir)
+            toolset = loader.to_common_toolset()
+            tool_names = [t.name for t in toolset.tools()]
+            assert "execute_command" in tool_names
+            assert len(toolset.tools()) == 3
+
+    def test_env_true_includes_execute_command(self, tmp_path: Any) -> None:
+        """ALLOW_EXECUTE_COMMAND=true 时，包含 execute_command 工具"""
+        skills_dir = str(tmp_path / "skills")
+        os.makedirs(skills_dir)
+        with patch.dict(os.environ, {"ALLOW_EXECUTE_COMMAND": "true"}):
+            loader = SkillLoader(skills_dir=skills_dir)
+            toolset = loader.to_common_toolset()
+            tool_names = [t.name for t in toolset.tools()]
+            assert "execute_command" in tool_names
+            assert len(toolset.tools()) == 3
+
+    def test_env_false_excludes_execute_command(self, tmp_path: Any) -> None:
+        """ALLOW_EXECUTE_COMMAND=false 时，不包含 execute_command 工具"""
+        skills_dir = str(tmp_path / "skills")
+        os.makedirs(skills_dir)
+        with patch.dict(os.environ, {"ALLOW_EXECUTE_COMMAND": "false"}):
+            loader = SkillLoader(skills_dir=skills_dir)
+            toolset = loader.to_common_toolset()
+            tool_names = [t.name for t in toolset.tools()]
+            assert "execute_command" not in tool_names
+            assert len(toolset.tools()) == 2
+            assert "load_skills" in tool_names
+            assert "read_skill_file" in tool_names
+
+    def test_env_false_case_insensitive(self, tmp_path: Any) -> None:
+        """ALLOW_EXECUTE_COMMAND=False / FALSE 等大小写变体均生效"""
+        skills_dir = str(tmp_path / "skills")
+        os.makedirs(skills_dir)
+        for value in ("False", "FALSE", "fAlSe"):
+            with patch.dict(os.environ, {"ALLOW_EXECUTE_COMMAND": value}):
+                loader = SkillLoader(skills_dir=skills_dir)
+                toolset = loader.to_common_toolset()
+                tool_names = [t.name for t in toolset.tools()]
+                assert (
+                    "execute_command" not in tool_names
+                ), f"execute_command should be excluded for value={value!r}"
+
+    def test_env_non_false_includes_execute_command(
+        self, tmp_path: Any
+    ) -> None:
+        """ALLOW_EXECUTE_COMMAND 设置为非 false 的值时，包含 execute_command"""
+        skills_dir = str(tmp_path / "skills")
+        os.makedirs(skills_dir)
+        for value in ("True", "TRUE", "1", "yes", "anything"):
+            with patch.dict(os.environ, {"ALLOW_EXECUTE_COMMAND": value}):
+                loader = SkillLoader(skills_dir=skills_dir)
+                toolset = loader.to_common_toolset()
+                tool_names = [t.name for t in toolset.tools()]
+                assert (
+                    "execute_command" in tool_names
+                ), f"execute_command should be included for value={value!r}"
+
+    def test_is_execute_command_allowed_static_method(self) -> None:
+        """直接测试 _is_execute_command_allowed 静态方法"""
+        with patch.dict(os.environ, {}, clear=False):
+            os.environ.pop("ALLOW_EXECUTE_COMMAND", None)
+            assert SkillLoader._is_execute_command_allowed() is True
+
+        with patch.dict(os.environ, {"ALLOW_EXECUTE_COMMAND": "true"}):
+            assert SkillLoader._is_execute_command_allowed() is True
+
+        with patch.dict(os.environ, {"ALLOW_EXECUTE_COMMAND": "false"}):
+            assert SkillLoader._is_execute_command_allowed() is False
+
+        with patch.dict(os.environ, {"ALLOW_EXECUTE_COMMAND": "False"}):
+            assert SkillLoader._is_execute_command_allowed() is False
+
+    def test_skill_tools_func_respects_env_var(self, tmp_path: Any) -> None:
+        """测试顶层 skill_tools() 函数也受环境变量控制"""
+        skills_dir = str(tmp_path / "skills")
+        os.makedirs(skills_dir)
+        with patch.dict(os.environ, {"ALLOW_EXECUTE_COMMAND": "false"}):
+            toolset = skill_tools(skills_dir=skills_dir)
+            tool_names = [t.name for t in toolset.tools()]
+            assert "execute_command" not in tool_names
+            assert "load_skills" in tool_names
+            assert "read_skill_file" in tool_names
