Files
Nexus/.skills/nexus-ssh-safety/SKILL.md
T

30 lines
1.5 KiB
Markdown
Raw Normal View History

---
name: nexus-ssh-safety
description: Use when reviewing or editing Nexus code that executes commands on managed servers over SSH, including file manager, transfer, archive, agent install, and BT panel bootstrap flows.
---
# Nexus SSH Safety
Use for any Nexus feature that builds shell commands or transfers files over SSH.
## Command construction rules
- Prefer argument arrays/local library APIs when available; otherwise quote every dynamic shell token with shlex.quote.
- Insert -- before filename/path operands for commands that parse options:
m, mv, cp, ar, zip, chmod, chown, etc.
- Never concatenate unquoted user input into shell command strings.
- Keep timeouts explicit for network/SSH work; avoid unbounded commands.
- Truncate or sanitize command output before returning it to API clients.
- Do not log secrets or full credential-bearing URLs.
## Path and archive rules
- Normalize paths with POSIX semantics for remote Linux paths.
- Reject empty paths where dangerous, root/system paths for recursive destructive operations, and traversal where the feature expects a bounded directory.
- Archive creation must protect member names beginning with -.
- Archive extraction must validate member names and types before extraction.
- Temporary files/directories must be unique and cleaned best-effort.
## script_service exception