Skip to main content

Usage

Execute a shell command. 
<shell>npm test</shell>
Returns: 
<shell>
  <stdout>...</stdout>
  <stderr>...</stderr>
  <exitCode>0</exitCode>
</shell>
  • Commands run with a 10-second timeout
  • Output is capped at 10MB
  • Returns stdout, stderr, and exit code

Command tiers

Magnitude classifies shell commands into three safety tiers:
  • Read-only — always allowed (ls, cat, grep, find, git status, git log, git diff, and similar)
  • Standard — allowed for most agents, but blocked if they target paths outside the working directory
  • Forbidden — always blocked, with no override
Forbidden commands include:
  • Destructive infrastructure commands (Docker/Kubernetes/Terraform mutations)
  • Cloud CLI mutations (AWS/GCP/Azure write operations)
  • Database destructive operations
  • System administration changes (power, network, firewall, critical services)
  • Package registry publishing (npm publish, cargo publish, and similar)
  • Dangerous Git operations (force push, reset, and similar)
Read-only Git commands (like git status, git log, and git diff) are always allowed. All other Git commands are blocked.

Path safety

All file writes, edits, and shell commands that target paths outside your working directory are blocked. Exceptions: /tmp and /dev/null.

Per-agent access

Not all agents have the same access:
  • Explorer and Planner are read-only (read-only shell only, no file writes)
  • Builder and Debugger can write files and run standard shell commands within the working directory
  • Reviewer has read-only shell access (like Explorer/Planner), but can also spawn browser agents for visual verification
  • The team lead has the broadest access, but is still subject to shell safety rules
All agents can read and write to the session workspace ($M) regardless of their file access level. “Read-only” refers to project files only.
If a command is blocked that you need, you can run it yourself in bash mode (/bash) or a separate terminal.