Description

Defensive Bash scripting for Linux: safe foundations, argument parsing, production patterns, ShellCheck compliance. Use when writing bash scripts, shell scri...

README (SKILL.md)

Linux Bash Scripting

Name: ia-linux-bash-scripting
Author: iliaal

Produce bash scripts that pass shellcheck --enable=all and shfmt -d with zero warnings.

Target: GNU Bash 4.4+ on Linux. No macOS/BSD workarounds, no Windows paths, no POSIX-only restrictions.

Script Foundation

#!/usr/bin/env bash
set -Eeuo pipefail
shopt -s inherit_errexit

readonly SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P)"

trap 'printf "Error at %s:%d\
" "${BASH_SOURCE[0]}" "$LINENO" >&2' ERR
trap 'rm -rf -- "${_tmpdir:-}"' EXIT

-E propagates ERR traps into functions
inherit_errexit propagates errexit into $() command substitutions
Always create temp dirs under the EXIT trap: _tmpdir=$(mktemp -d)
Wrap body in main() { ... } with source guard: [[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@" -- enables sourcing for testing

Core Rules

Quote every expansion: "$var", "$(cmd)", "${array[@]}"
local for function variables, local -r for function constants, readonly for script constants
printf '%s\ ' over echo -- predictable behavior, no flag interpretation
[[ ]] for conditionals; (( )) for arithmetic; $() over backticks
End options with --: rm -rf -- "$path", grep -- "$pattern" "$file"
Require env vars: : "${VAR:?must be set}"
Never eval user input; build commands as arrays: cmd=("grep" "--" "$pat" "$f"); "${cmd[@]}"
Separate local from assignment to preserve exit codes: local val; val=$(cmd)
Debug tracing: PS4='+${BASH_SOURCE[0]}:${LINENO}: ' with bash -x -- shows file:line per command
Named exit codes: readonly EX_USAGE=64 EX_CONFIG=78 -- no magic numbers in exit
Pipeline diagnostics: "${PIPESTATUS[@]}" shows exit code of each pipe stage, not just last failure

Safe Iteration

# NUL-delimited file processing
while IFS= read -r -d '' f; do
    process "$f"
done \x3C \x3C(find /path -type f -name '*.log' -print0)

# Array from command output
readarray -t lines \x3C \x3C(command)
readarray -d '' files \x3C \x3C(find . -print0)

# Glob with no-match guard
for f in *.txt; do [[ -e "$f" ]] || continue; process "$f"; done

Argument Parsing

verbose=false; output=""
while [[ $# -gt 0 ]]; do
    case "$1" in
        -v|--verbose) verbose=true; shift ;;
        -o|--output)  output="$2"; shift 2 ;;
        -h|--help)    usage; exit 0 ;;
        --)           shift; break ;;
        -*)           printf 'Unknown: %s\
' "$1" >&2; exit 1 ;;
        *)            break ;;
    esac
done

Production Patterns

Dependency check:

require() { command -v "$1" &>/dev/null || { printf 'Missing: %s\
' "$1" >&2; exit 1; }; }
require jq; require curl

Dry-run wrapper:

run() { if [[ "${DRY_RUN:-}" == "1" ]]; then printf '[dry] %s\
' "$*" >&2; else "$@"; fi; }
run cp "$src" "$dst"

Atomic file write -- write to temp, rename into place:

atomic_write() { local tmp; tmp=$(mktemp); cat >"$tmp"; mv -- "$tmp" "$1"; }
generate_config | atomic_write /etc/app/config.yml

Retry with backoff:

retry() { local n=0 max=5 delay=1; until "$@"; do ((++n>=max)) && return 1; sleep $delay; ((delay*=2)); done; }
retry curl -fsSL "$url"

Script locking -- prevent concurrent runs:

exec 9>/var/lock/"${0##*/}".lock
flock -n 9 || { printf 'Already running\
' >&2; exit 1; }

Idempotent operations -- safe to rerun:

ensure_dir()  { [[ -d "$1" ]] || mkdir -p -- "$1"; }
ensure_link() { [[ -L "$2" ]] || ln -s -- "$1" "$2"; }

Input validation: [[ "$1" =~ ^[1-9][0-9]*$ ]] || die "Invalid: $1" -- validate at script boundaries with [[ =~ ]]

umask 077 for scripts creating sensitive files
Signal cleanup: trap 'cleanup; exit 130' INT TERM -- preserves correct exit codes for callers

Logging

log() { printf '[%s] [%s] %s\
' "$(date -Iseconds)" "$1" "${*:2}" >&2; }
info()  { log INFO "$@"; }
warn()  { log WARN "$@"; }
error() { log ERROR "$@"; }
die()   { error "$@"; exit 1; }

Anti-Patterns

Bad	Fix
`for f in $(ls)`	`for f in *; do` or `find -print0 \| while read`
`local x=$(cmd)`	`local x; x=$(cmd)` -- preserves exit code
`echo "$data"`	`printf '%s\
' "$data"`
`cat file \| grep`	`grep pat file`
`kill -9 $pid` first	`kill "$pid"` first, `-9` as last resort
`cd dir; cmd`	`cd dir

Performance

Parameter expansion over externals: ${path%/*} not dirname, ${path##*/} not basename, ${var//old/new} not sed
(( )) over expr; [[ =~ ]] over echo | grep
Cache results: val=$(cmd) once, reuse $val
xargs -0 -P "$(nproc)" for parallel work
declare -A map for lookups instead of repeated grep

Bash 4.4+ / 5.x

${var@Q} shell-quoted, ${var@U} uppercase, ${var@L} lowercase
declare -n ref=varname nameref for indirect access
wait -n wait for any background job
$EPOCHSECONDS, $EPOCHREALTIME -- timestamps without forking date

Linux-Specific

GNU coreutils differ from macOS: sed -i (no '' suffix), grep -P (PCRE support), readlink -f (canonical path)
timeout 30s cmd to prevent automation hangs

ShellCheck

Run shellcheck --enable=all script.sh. Key rules:

SC2155: Separate declaration from assignment
SC2086: Double-quote variables
SC2046: Quote command substitutions
SC2164: cd dir || exit
SC2327/SC2328: Use ${BASH_REMATCH[n]} not $n for regex captures

Pre-commit: shellcheck *.sh && shfmt -i 2 -ci -d *.sh

Verify

Run shellcheck --enable=all and shfmt -d with zero warnings before declaring done. Test edge cases: empty input, missing files, spaces in paths.

Usage Guidance

This skill is a style-and-pattern guide for writing Bash on Linux and does not itself run or download code. However, anything the agent generates based on these instructions may perform system actions (writing /etc files, creating locks, running curl, etc.). Before running generated scripts: review the script contents line-by-line, confirm any operations that modify system files or run network commands are intended, run shellcheck/shfmt locally, prefer running in a non-production environment first, and avoid executing as root unless you understand the changes. If you need stricter guarantees, require the agent to show diffs and explicit justification for writes to sensitive paths (e.g., /etc) before you run them.

Capability Analysis

Type: OpenClaw Skill Name: compound-eng-linux-bash-scripting Version: 3.0.4 The skill bundle provides high-quality, defensive coding standards for Bash scripting, emphasizing security best practices such as ShellCheck compliance, input validation, and avoiding dangerous functions like 'eval'. The instructions in SKILL.md and the development specifications in SPEC.md are strictly aligned with the stated purpose of improving script reliability and safety without any indicators of malicious intent or data exfiltration.

Capability Assessment

✓ Purpose & Capability

Name/description match the content: SKILL.md is a detailed, Linux-focused Bash style and pattern guide. It does not request unrelated binaries, credentials, or installs, so the declared purpose aligns with what the skill requires and provides.

✓ Instruction Scope

The SKILL.md stays within the domain of producing safe Bash scripts. Examples reference system paths (/etc, /var/lock, find /path), tools (curl, jq, shellcheck, shfmt) and patterns appropriate for scripting. The document does not instruct the agent to read arbitrary host secrets or to exfiltrate data. Because this is guidance (not executable code bundled with the skill), the runtime risk comes from scripts generated by the agent — those should be reviewed before execution.

✓ Install Mechanism

No install spec is present (instruction-only), so nothing is downloaded or written to disk by the skill itself. This is the lowest-risk installation model.

✓ Credentials

The skill declares no required environment variables, credentials, or config paths. The SKILL.md shows patterns for validating/ requiring env vars in generated scripts (e.g., ': "${VAR:?must be set}"'), which is appropriate and not the same as the skill requesting secrets itself.

✓ Persistence & Privilege

No privileged persistence is requested. always is false and the skill is user-invocable. There is no indication it modifies other skills or agent-wide config.

Version History

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.56.1

v2.56.0

v2.55.1

v2.55.0

v2.53.2

v2.53.0

Metadata

Slug compound-eng-linux-bash-scripting

Version 3.0.4

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 11

Frequently Asked Questions

What is ia-linux-bash-scripting?

Defensive Bash scripting for Linux: safe foundations, argument parsing, production patterns, ShellCheck compliance. Use when writing bash scripts, shell scri... It is an AI Agent Skill for Claude Code / OpenClaw, with 360 downloads so far.

How do I install ia-linux-bash-scripting?

Run "/install compound-eng-linux-bash-scripting" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ia-linux-bash-scripting free?

Yes, ia-linux-bash-scripting is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does ia-linux-bash-scripting support?

ia-linux-bash-scripting is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created ia-linux-bash-scripting?

It is built and maintained by Ilia Alshanetsky (@iliaal); the current version is v3.0.4.

More Skills

ia-linux-bash-scripting