🛡️ AI Shell: Safe Usage Patterns

Using AI to write shell scripts introduces a new vector of risk. A single hallucinated flag or misunderstood context can result in destructive commands (like rm -rf / variations). Implementing Safe Usage Patterns ensures that AI-generated code is verified, linted, and sandboxed before execution.

🎯 The "Zero-Trust" Execution Rule

Never pipe AI output directly into a shell.

# ❌ LETHAL ANTI-PATTERN (AI piping)
ai "update all packages and clean up system" | sudo bash

# ✅ SAFE PATTERN
ai "update all packages and clean up system" > update.sh
cat update.sh      # 1. Human Review
shellcheck update.sh # 2. Automated Linting
bash -n update.sh  # 3. Syntax Dry-Run
./update.sh        # 4. Execution

🧪 Sandboxed Execution (The Ephemeral Container Pattern)

When an AI generates a complex script, test it in an ephemeral Docker container before running it on your host or in production.

#!/bin/bash
# ai-sandbox-test.sh - Safely test AI generated scripts

TEST_SCRIPT="$1"

if [ ! -f "$TEST_SCRIPT" ]; then
    echo "Error: File not found" >&2
    exit 1
fi

echo "🔍 Linting with ShellCheck..."
if ! docker run --rm -v "$PWD:/mnt" koalaman/shellcheck:stable "$TEST_SCRIPT"; then
    echo "❌ ShellCheck failed. Do not run this script." >&2
    exit 1
fi

echo "🐳 Running in ephemeral Ubuntu sandbox..."
docker run --rm \
    --network none \
    --read-only \
    --tmpfs /tmp \
    --tmpfs /run \
    -v "$PWD/$TEST_SCRIPT:/test.sh:ro" \
    ubuntu:24.04 bash /test.sh

echo "✅ Sandbox execution finished."

Note: The container uses --network none (no internet) and --read-only (cannot modify container filesystem) to limit the blast radius if the AI generated malicious or destructive code.

🤖 Automated Linting Integration

Integrate standard linting tools directly into your AI workflow. If you build an AI CLI wrapper, make shellcheck a mandatory step.

# ~/.bashrc or ~/.zshrc function
ask_ai_sh() {
    local prompt="$*"
    local tmpfile
    tmpfile=$(mktemp /tmp/ai_script_XXXXXX.sh)

    echo "Generating script..."
    # Assuming 'llm' is a generic CLI tool for your LLM of choice
    llm "Write a strict bash script to: $prompt. Output ONLY the code." > "$tmpfile"

    echo "--- GENERATED CODE ---"
    cat "$tmpfile"
    echo "----------------------"

    if command -v shellcheck >/dev/null; then
        echo "🔍 Running ShellCheck..."
        if shellcheck "$tmpfile"; then
            echo "✅ ShellCheck Passed."
        else
            echo "❌ ShellCheck found issues. Review carefully."
        fi
    fi

    echo "Script saved to $tmpfile"
}

🛡️ Dropping Privileges for AI Scripts

If an AI-generated script must be run as a service or cron job, enforce the Principle of Least Privilege using a dedicated, restricted user.

# 1. Create a restricted user with no shell login
sudo useradd -r -s /usr/sbin/nologin ai_worker

# 2. Run the AI script as this user
sudo -u ai_worker bash ai_generated_script.sh

# 3. (Advanced Linux) Use systemd-run for dynamic cgroups and capability dropping
systemd-run --user --scope \
    -p "ProtectSystem=strict" \
    -p "ProtectHome=read-only" \
    -p "PrivateNetwork=yes" \
    bash ai_generated_script.sh

🔄 Human-in-the-Loop (Approval Flows)

If you are using AI to generate scripts within an automated CI/CD pipeline (e.g., using an LLM to generate migration scripts dynamically), you must implement an approval flow.

AI Generates Script -> Saves to generated/migration_123.sh
CI Pipeline -> Runs shellcheck and creates a Pull Request.
Human Reviewer -> Reviews the PR. Checks for:
Destructive commands (rm, drop, truncate).
Hardcoded credentials.
Idempotency.
Merge & Execute -> Runs only after human approval.

🧾 Summary Checklist

✅ Never Pipe to Shell: Never do ai | bash. ✅ ShellCheck Everything: Make shellcheck a mandatory step for AI output. ✅ Use Sandboxes: Test complex AI scripts in --network none Docker containers. ✅ Restrict Privileges: Run AI scripts as non-root, restricted users. ✅ Human in the Loop: Require human review for scripts affecting production state.