docs/tools/shell.md
run_shell_command)The run_shell_command tool allows the Gemini model to execute commands
directly on your system's shell. It is the primary mechanism for the agent to
interact with your environment beyond simple file edits.
On Windows, commands execute with powershell.exe -NoProfile -Command. On other
platforms, they execute with bash -c.
command (string, required): The exact shell command to execute.description (string, optional): A brief description shown to the user for
confirmation.dir_path (string, optional): The absolute path or relative path from
workspace root where the command runs.is_background (boolean, optional): Whether to move the process to the
background immediately after starting.The tool returns a JSON object containing:
Command: The executed string.Directory: The execution path.Stdout / Stderr: The output streams.Exit Code: The process return code.Background PIDs: PIDs of any started background processes.You can configure the behavior of the run_shell_command tool by modifying your
settings.json file or by using the /settings command in Gemini CLI.
To enable interactive commands, you need to set the
tools.shell.enableInteractiveShell setting to true. This will use node-pty
for shell command execution, which allows for interactive sessions. If
node-pty is not available, it will fall back to the child_process
implementation, which does not support interactive commands.
Example settings.json:
{
"tools": {
"shell": {
"enableInteractiveShell": true
}
}
}
To show color in the shell output, you need to set the tools.shell.showColor
setting to true. This setting only applies when
tools.shell.enableInteractiveShell is enabled.
Example settings.json:
{
"tools": {
"shell": {
"showColor": true
}
}
}
You can set a custom pager for the shell output by setting the
tools.shell.pager setting. The default pager is cat. This setting only
applies when tools.shell.enableInteractiveShell is enabled.
Example settings.json:
{
"tools": {
"shell": {
"pager": "less"
}
}
}
The run_shell_command tool now supports interactive commands by integrating a
pseudo-terminal (pty). This lets you run commands that require real-time user
input, such as text editors (vim, nano), terminal-based UIs (htop), and
interactive version control operations (git rebase -i).
When an interactive command is running, you can send input to it from the Gemini
CLI. To focus on the interactive shell, press Tab. The terminal output,
including complex TUIs, will be rendered correctly.
Stderr, Error, and Exit Code fields to
determine if a command executed successfully.&,
the tool will return immediately and the process will continue to run in the
background. The Background PIDs field will contain the process ID of the
background process.When run_shell_command executes a command, it sets the GEMINI_CLI=1
environment variable in the subprocess's environment. This allows scripts or
tools to detect if they are being run from within Gemini CLI.
[!WARNING] The
tools.coresetting is an allowlist for all built-in tools, not just shell commands. When you settools.coreto any value, only the tools explicitly listed will be enabled. This includes all built-in tools likeread_file,write_file,glob,grep_search,list_directory,replace, etc.
You can restrict the commands that can be executed by the run_shell_command
tool by using the tools.core and tools.exclude settings in your
configuration file.
tools.core: To restrict run_shell_command to a specific set of commands,
add entries to the core list under the tools category in the format
run_shell_command(<command>). For example,
"tools": {"core": ["run_shell_command(git)"]} will only allow git
commands. Including the generic run_shell_command acts as a wildcard,
allowing any command not explicitly blocked.tools.exclude [DEPRECATED]: To block specific commands, use the
Policy Engine. Historically, this setting
allowed adding entries to the exclude list under the tools category in the
format run_shell_command(<command>). For example,
"tools": {"exclude": ["run_shell_command(rm)"]} will block rm commands.The validation logic is designed to be secure and flexible:
&&, ||, or ; and validates each part separately. If any
part of the chain is disallowed, the entire command is blocked.git, you can run git status or git log.tools.exclude list is always checked first.
If a command matches a blocked prefix, it will be denied, even if it also
matches an allowed prefix in tools.core.Allow only specific command prefixes
To allow only git and npm commands, and block all others:
{
"tools": {
"core": ["run_shell_command(git)", "run_shell_command(npm)"]
}
}
git status: Allowednpm install: Allowedls -l: BlockedBlock specific command prefixes
To block rm and allow all other commands:
{
"tools": {
"core": ["run_shell_command"],
"exclude": ["run_shell_command(rm)"]
}
}
rm -rf /: Blockedgit status: Allowednpm install: AllowedBlocklist takes precedence
If a command prefix is in both tools.core and tools.exclude, it will be
blocked.
tools.shell.enableInteractiveShell: (boolean) Uses node-pty for
real-time interaction.tools.shell.showColor: (boolean) Preserves ANSI colors in output.tools.shell.inactivityTimeout: (number) Seconds to wait for output
before killing the process.You can limit which commands the agent is allowed to request using these settings:
tools.core: An allowlist of command prefixes (for example,
["git", "npm test"]).tools.exclude: A blocklist of command prefixes.