feat: always ask for approval for non-readonly commands (#510)

Author: droot

pkg/agent/conversation.go

@@ -936,13 +936,7 @@ func (c *Agent) analyzeToolCalls(ctx context.Context, toolCalls []gollm.Function
 		if err != nil {
 			toolCallAnalysis[i].IsInteractiveError = err
 		}
-		modifiesResourceStr := toolCall.GetTool().CheckModifiesResource(call.Arguments)
-		if modifiesResourceStr == "unknown" {
-			if llmModifies, ok := call.Arguments["modifies_resource"].(string); ok {
-				modifiesResourceStr = llmModifies
-			}
-		}
-		toolCallAnalysis[i].ModifiesResourceStr = modifiesResourceStr
+		toolCallAnalysis[i].ModifiesResourceStr = toolCall.GetTool().CheckModifiesResource(call.Arguments)
 		toolCallAnalysis[i].ParsedToolCall = toolCall
 	}
 	return toolCallAnalysis, nil

pkg/tools/kubectl_filter.go

@@ -71,6 +71,7 @@ func kubectlModifiesResource(command string) string {
 
 	hasReadCommand := false
 	foundWrite := false
+	numCmds := 0
 
 	// Single pass through all command calls
 	syntax.Walk(file, func(node syntax.Node) bool {
@@ -87,10 +88,21 @@ func kubectlModifiesResource(command string) string {
 			if result == "no" {
 				hasReadCommand = true
 			}
+			numCmds++
+			if numCmds > 1 {
+				return false // Stop walking if more then one command is found
+			}
 		}
 		return true
 	})
 
+	if numCmds > 1 {
+		// if it's a composite bash command, we should err on the side of caution and return unknown
+		// to prevent exfilteration attacks https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
+		klog.Infof("KubectlModifiesResource result: unknown for command: %q, multiple commands (%d) found", command, numCmds)
+		return "unknown"
+	}
+
 	// Return results based on what we found
 	if foundWrite {
 		klog.Infof("KubectlModifiesResource result: yes (write operation found) for command: %q", command)