Skip to content

Script Execution

Tools for running scripts on the target system. These tools are only available when the server is started with --toolset run-script or --toolset both. See Guarded Command Execution for details.

Remote execution

All tools on this page accept an optional host parameter (string) to execute the command on a remote machine via SSH instead of locally. See SSH Configuration for details.

run_script

Call this tool to run a previously validated script. Use this when validate_script returned needs_confirmation: false.

Parameters:

  • token (string, required): The token returned by the validate_script tool.

run_script_interactive

Run a script that modifies the system. The user will be asked for approval interactively. A bash script should be used for simple operations that can be expressed cleanly as a few shell commands, but a Python script should be used if complex processing is needed. Bash scripts are run with strict mode (set -euo pipefail) applied by the invocation, so handle expected non-zero exit codes in the script (e.g. with || true) where needed.

Write short, simple scripts that are easy to review - do not include unnecessary complexity such as elaborate logging or handling unlikely corner cases.

Note

This tool may modify system state.

Note

Only available with clients that support MCP apps (e.g. RHEL Lightspeed).

Parameters:

  • description (string, required): Description of what the script does - e.g. 'Modify file permissions on nginx.conf to fix startup errors.'
  • script_type ("python", "bash", required): The type of script to run (python or bash).
  • script (string, required): The script to run.
  • readonly (boolean, required): Should be true if the script does not modify the system.
  • token (string, required): The token returned by the validate_script tool.

Returns:

  • id (string)
  • status ("OK", "BAD_DESCRIPTION", "POLICY", "MODIFIES_SYSTEM", "UNCLEAR", "DANGEROUS", "MALICIOUS")
  • detail (string)

run_script_with_confirmation

Call this tool to run a previously validated script that modifies the system. Use this when validate_script returned needs_confirmation: true. The parameters must match those passed to validate_script.

Note

This tool may modify system state.

Note

Not available with clients that support MCP apps; use the interactive variant instead.

Parameters:

  • description (string, required): Description of what the script does - e.g. 'Modify file permissions on nginx.conf to fix startup errors.'
  • script_type ("python", "bash", required): The type of script to run (python or bash).
  • script (string, required): The script to run.
  • readonly (boolean, required): Should be true if the script does not modify the system.
  • token (string, required): The token returned by the validate_script tool.

validate_script

Request validation of a script from the gatekeeper. The tool will return a unique token that must be included in the run_script tool call.

Parameters:

  • description (string, required): Description of what the script does - e.g. 'Modify file permissions on nginx.conf to fix startup errors.'
  • script_type ("python", "bash", required): The type of script to run (python or bash).
  • script (string, required): The script to run.
  • readonly (boolean, default: true): Should be true if the script does not modify the system.