Nushell Pro 最佳实践与安全指南 - 编写高性能、可维护的 Nushell 脚本

nushell-pro by hustcer/nushell-pro

294 周安装量

2 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/hustcer/nushell-pro --skill nushell-pro

代码规范命令行工具性能优化

🇨🇳中文介绍

Nushell Pro — 最佳实践与安全技能

编写地道、高性能、安全且可维护的 Nushell 脚本。本技能强制执行 Nushell 约定，捕获安全问题，并帮助避免常见陷阱。

核心原则

管道化思维 — 数据通过管道流动；优先使用函数式转换而非命令式循环
不可变性优先 — 默认使用 let；仅当函数式替代方案不适用时才使用 mut
结构化数据 — Nushell 原生处理表格、记录和列表；利用结构化数据而非字符串解析
静态解析 — 所有代码在执行前解析；source/use 需要解析时常量
隐式返回 — 最后一个表达式的值即为返回值；无需 echo 或 return
作用域环境 — 环境更改仅限于其所在块；当需要调用方更改时使用 def --env

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

关键点：管道输入与参数

管道输入 ($in) 与函数参数不可互换！

# 错误 — 将管道数据视为第一个参数
def my-func [items: list, value: any] {
    $items | append $value
}

# 正确 — 声明管道签名
def my-func [value: any]: list -> list {
    $in | append $value
}

# 用法
[1 2 3] | my-func 4  # 正确工作

管道输入可以惰性求值（流式处理）
参数是急切求值的（加载到内存中）
完全不同的调用约定 — $list | func arg 对比 func $list arg

def func [x: int] { ... }                    # 仅参数
def func []: string -> int { ... }           # 仅管道
def func [x: int]: string -> int { ... }     # 管道和参数
def func []: [list -> list, string -> list] { ... }  # 多个 I/O 类型

实体	约定	示例
命令	`kebab-case`	`fetch-user`, `build-all`
子命令	`kebab-case`	`"str my-cmd"`, `date list-timezone`
标志	`kebab-case`	`--all-caps`, `--output-dir`
变量/参数	`snake_case`	`$user_id`, `$file_path`
环境变量	`SCREAMING_SNAKE_CASE`	`$env.APP_VERSION`
常量	`snake_case`	`const max_retries = 3`

优先使用完整单词而非缩写，除非广为人知（url 可以，usr 不行）
标志变量访问时将短横线替换为下划线：--all-caps -> $all_caps

单行格式（短表达式的默认格式）

[1 2 3] | each {|x| $x * 2 }
{name: 'Alice', age: 30}

多行格式（脚本、>80 字符、嵌套结构）

[1 2 3 4] | each {|x|
    $x * 2
}

[
    {name: 'Alice', age: 30}
    {name: 'Bob', age: 25}
]

| 前后各一个空格
闭包中 |params| 前无空格：{|x| ...} 而非 { |x| ...}
记录中 : 后一个空格：{x: 1} 而非 {x:1}
列表中省略逗号：[1 2 3] 而非 [1, 2, 3]
无尾随空格
使用 , 时其后一个空格（闭包参数等）

自定义命令最佳实践

类型注解和 I/O 签名

# 完全类型化并带有 I/O 签名
def add-prefix [text: string, --prefix (-p): string = 'INFO']: nothing -> string {
    $'($prefix): ($text)'
}

# 多个 I/O 签名
def to-list []: [
    list -> list
    string -> list
] {
    # 实现
}

使用注释和属性的文档

# 从 API 获取用户数据
#
# 通过 ID 检索用户信息并返回
# 包含所有可用字段的结构化记录。
@example 'Fetch user by ID' { fetch-user 42 }
@category 'network'
def fetch-user [
    id: int           # 用户的唯一标识符
    --verbose (-v)    # 显示详细的请求信息
]: nothing -> record {
    # 实现
}

最多 2 个位置参数；其余使用标志
提供长标志名和短标志名：--output (-o): string
使用默认值：def greet [name: string = 'World']
使用 ? 表示可选位置参数：def greet [name?: string]
使用 rest 参数处理可变数量输入：def multi-greet [...names: string]
使用 def --wrapped 包装外部命令并转发未知标志

修改环境的命令

def --env setup-project [] {
    cd project-dir
    $env.PROJECT_ROOT = (pwd)
}

{name: 'Alice', age: 30}          # 创建记录
$rec1 | merge $rec2                # 合并（右偏）
[$r1 $r2 $r3] | into record       # 合并多个记录
$rec | update name {|r| $'Dr. ($r.name)' }  # 更新字段
$rec | insert active true          # 插入字段
$rec | upsert count {|r| ($r.count? | default 0) + 1 }  # 更新或插入
$rec | reject password secret_key  # 移除字段
$rec | select name age email       # 仅保留这些字段
$rec | items {|k, v| $'($k): ($v)' }  # 迭代键值对
$rec | transpose key val           # 转换为表格

$table | where age > 25                          # 筛选行
$table | insert retired {|row| $row.age > 65 }   # 添加列
$table | rename -c {age: years}                   # 重命名列
$table | group-by status --to-table               # 按字段分组
$table | transpose name data                      # 转置行/列
$table | join $other_table user_id                 # 内连接
$table | join --left $other user_id                # 左连接

$list | enumerate | where {|e| $e.index > 5 }     # 带索引筛选
$list | reduce --fold 0 {|it, acc| $acc + $it }   # 累加
$list | window 3                                   # 滑动窗口
$list | chunks 100                                 # 分批处理
$list | flatten                                    # 展平嵌套列表

$record.field?                    # 如果缺失则返回 null（无错误）
$record.field? | default 'N/A'   # 提供回退值
if ($record.field? != null) { }   # 检查存在性
$list | default -e $fallback      # 空集合的默认值

管道与函数式模式

优先使用函数式而非命令式

# 错误 — 使用可变变量的命令式
mut total = 0
for item in $items { $total += $item.price }

# 正确 — 函数式管道
$items | get price | math sum

# 错误 — 可变计数器
mut i = 0
for file in (ls) { print $'($i): ($file.name)'; $i += 1 }

# 正确 — 枚举
ls | enumerate | each {|it| $'($it.index): ($it.item.name)' }

# each: 转换每个元素
$list | each {|item| $item * 2 }

# each --flatten: 流式输出（将 list<list<T>> 转换为 list<T>）
ls *.txt | each --flatten {|f| open $f.name | lines } | find 'TODO'

# each --keep-empty: 保留 null 结果
[1 2 3] | each --keep-empty {|e| if $e == 2 { 'found' } }

# par-each: 并行处理（I/O 或 CPU 密集型）
$urls | par-each {|url| http get $url }
$urls | par-each --threads 4 {|url| http get $url }

# reduce: 累加（如果没有 --fold，第一个元素是初始累加器）
[1 2 3 4] | reduce {|it, acc| $acc + $it }

# generate: 从任意源创建值而无需 mut
generate {|state| { out: ($state * 2), next: ($state + 1) } } 1 | first 5

# 行条件 — 简写语法，自动展开 $it
ls | where type == file              # 简单且可读
$table | where size > 100            # 展开为：$it.size > 100

# 闭包 — 完全灵活，可以存储和重用
let big_files = {|row| $row.size > 1mb }
ls | where $big_files
$list | where {$in > 10}             # 使用 $in 或参数

简单字段比较使用行条件；复杂逻辑或可重用条件使用闭包。

使用 $in 的管道输入

def double-all []: list<int> -> list<int> {
    $in | each {|x| $x * 2 }
}

# 需要稍后使用时提前捕获 $in（首次使用时即被消耗）
def process []: table -> table {
    let input = $in
    let count = $input | length
    $input | first ($count // 2)
}

优先使用不可变性

let config = (open config.toml)
let names = $config.users | get name

# 可接受 — 当没有函数式替代方案时使用 mut
mut retries = 0
loop {
    if (try-connect) { break }
    $retries += 1
    if $retries >= 3 { error make {msg: 'Connection failed'} }
    sleep 1sec
}

const lib_path = 'src/lib.nu'
source $lib_path                  # 有效：const 在解析时解析

let lib_path = 'src/lib.nu'
source $lib_path                  # 错误：let 仅在运行时有效

闭包不能捕获 mut

mut count = 0
ls | each {|f| $count += 1 }     # 错误！闭包不能捕获 mut

# 解决方案：
ls | length                       # 使用内置命令
[1 2 3] | reduce {|x, acc| $acc + $x }  # 使用 reduce
for f in (ls) { $count += 1 }    # 如果确实需要突变，使用循环

完整优先级和规则请参阅字符串格式参考。

快速摘要（从高到低优先级）：

数组中的裸词：[foo bar baz]
正则表达式的原始字符串：r#'(?:pattern)'#
单引号：'simple string'
单引号插值：$'Hello, ($name)!'
仅转义时使用双引号："line1\nline2"
双引号插值：$"tab:\t($value)\n"（仅与转义一起使用）

my-module/
├── mod.nu              # 模块入口点
├── utils.nu            # 子模块
└── tests/
    └── mod.nu          # 测试模块

只有 export 定义是公开的；未导出的是私有的
当命令名与模块名匹配时使用 export def main
使用 export use submodule.nu * 重新导出子模块命令
使用 export-env 进行环境设置块

带有主命令和子命令的脚本

#!/usr/bin/env nu

# 构建项目
def "main build" [--release (-r)] {
    print 'Building...'
}

# 运行测试
def "main test" [--verbose (-v)] {
    print 'Testing...'
}

def main [] {
    print 'Usage: script.nu <build|test>'
}

对于 shebang 脚本中的 stdin 访问：#!/usr/bin/env -S nu --stdin

带有跨度信息的自定义错误

def validate-age [age: int] {
    if $age < 0 or $age > 150 {
        error make {
            msg: 'Invalid age value'
            label: {
                text: $'Age must be between 0 and 150, got ($age)'
                span: (metadata $age).span
            }
        }
    }
    $age
}

try/catch 和优雅降级

let result = try {
    http get $url
} catch {|err|
    print -e $'Request failed: ($err.msg)'
    null
}

# 使用 complete 获取详细的外部命令错误信息
let result = (^some-external-cmd | complete)
if $result.exit_code != 0 {
    print -e $'Error: ($result.stderr)'
}

使用 `do -i` 抑制错误

do -i（忽略错误）运行闭包并抑制任何错误，失败时返回 null。do -c（捕获错误）将错误捕获为值返回。

# 忽略错误 — 如果闭包失败则返回 null
do -i { rm non_existent_file }

# 用作简洁的回退
let val = (do -i { open config.toml | get setting } | default 'fallback')

# 将错误捕获为值（而不是中止管道）
let result = (do -c { ^some-cmd })

何时使用每种方法：

do -i — 发射后不管，或仅在失败时需要默认值时
do -c — 将错误捕获为值，以便在失败时中止下游管道
try/catch — 需要检查或记录错误时
complete — 需要外部命令的退出码 + stdout + stderr 时

use std/assert

for t in [[input expected]; [0 0] [1 1] [2 1] [5 5]] {
    assert equal (fib $t.input) $t.expected
}

def "assert even" [number: int] {
    assert ($number mod 2 == 0) --error-label {
        text: $'($number) is not an even number'
        span: (metadata $number).span
    }
}

$value | describe                 # 检查类型
$data | each {|x| print $x; $x } # 打印中间值（传递）
timeit { expensive-command }      # 测量执行时间
metadata $value                   # 检查跨度和其他元数据

完整指南请参阅安全参考。

Nushell 在设计上比 Bash 更安全（无 eval，参数作为数组传递而非通过 shell），但安全风险仍然存在。

切勿将不受信任的输入作为代码执行

# 危险 — 任意代码执行
^nu -c $user_input
source $user_provided_file

# 危险 — shell 解释字符串
^sh -c $'echo ($user_input)'
^bash -c $user_input

将命令与参数分离（防止注入）

# 错误 — 构建命令字符串
let cmd = $'ls ($user_path)'
^sh -c $cmd

# 正确 — 直接传递参数（无 shell 解释）
^ls $user_path
run-external 'ls' $user_path

验证和清理路径

# 错误 — 可能存在路径遍历
def read-file [name: string] { open $name }

# 正确 — 验证防止遍历
def read-file [name: string, --base-dir: string = '.'] {
    let full = ($base_dir | path join $name | path expand)
    let base = ($base_dir | path expand)
    if not ($full | str starts-with $base) {
        error make {msg: $'Path traversal detected: ($name)'}
    }
    open $full
}

# 错误 — 凭据对所有子进程和 env 可见
$env.API_KEY = 'secret-key-123'
^curl -H $'Authorization: Bearer ($env.API_KEY)' $url

# 正确 — 限定凭据作用域，使用 with-env
with-env {API_KEY: (open ~/.secrets/api_key | str trim)} {
    ^curl -H $'Authorization: Bearer ($env.API_KEY)' $url
}

安全的文件操作

# 错误 — 可预测的临时文件，竞态条件
let tmp = '/tmp/my-script-tmp'
'data' | save $tmp

# 正确 — 使用 mktemp 创建唯一临时文件
let tmp = (^mktemp | str trim)
'data' | save $tmp
# ... 使用 $tmp ...
rm $tmp

处理外部命令错误

let result = (^cargo build o+e>| complete)
if $result.exit_code != 0 {
    error make {msg: $'Build failed: ($result.stderr)'}
}

# 错误 — 来自变量的 glob，可能匹配意外文件
^rm $'($user_dir)/*'

# 正确 — 验证后使用 trash 或显式路径
if ($user_dir | path type) == 'dir' {
    rm -r $user_dir
}

完整清单请参阅脚本审查参考。

审查 Nushell 脚本时，按顺序检查以下类别：

1. 安全审查（最高优先级）

没有使用不受信任输入的 nu -c / source / ^sh -c
没有硬编码凭据或 env 泄漏
来自用户输入的路径经过验证（无遍历）
外部命令使用参数分离（而非字符串连接）
临时文件使用 mktemp，而非可预测路径
rm 操作受到保护且是故意的

所有导出命令都有类型注解
I/O 管道签名与实际行为匹配
对可能失败的操作进行错误处理（使用 try/catch）
当错误处理重要时，使用 complete 检查外部命令
使用 ? 运算符访问可选字段
没有将 for 作为最终表达式（改用 each）
闭包中没有捕获 mut

命名：kebab-case 命令，snake_case 变量
遵循字符串格式优先级
格式化：间距、行长度、多行规则
导出命令有文档注释
外部命令有 ^ 前缀
优先使用函数式风格而非命令式

I/O 或 CPU 密集型并行工作使用 par-each
适当时使用 each --flatten 进行流式处理
昂贵的计算缓存在 let 绑定中
大文件流式处理（惰性），而非完全加载

详细解释请参阅反模式参考。

反模式	修复
`echo $value`	直接使用 `$value`（隐式返回）
`$"simple text"`	`'simple text'`（无需插值）
`for` 作为最终表达式	使用 `each`（for 不返回值）
`mut` 用于累加	使用 `reduce` 或 `math sum`
`let path = ...; source $path`	`const path = ...; source $path`
`"hello" > file.txt`	`'hello'
`grep pattern`	`where $it =~ pattern` 或内置 `find`
解析字符串输出	使用结构化命令（`ls`, `ps`, `http get`）
`$env.FOO = bar` 在 `def` 内部	使用 `def --env`
`{	x
`$record.missing`（错误）	`$record.missing?`（返回 null）
对单个记录使用 `each`	改用 `items` 或 `transpose`
外部命令没有 `^`	使用 `^grep` 明确表示外部命令

使用类型签名 — 及早捕获错误，改进文档
优先使用管道 — 更地道、可组合且可流式处理
使用注释文档化 — 在 def 上方使用 # 以便集成帮助
选择性导出 — 不要污染命名空间
使用 default — 优雅处理 null/缺失值
验证输入 — 在函数开始时检查类型/范围
返回一致类型 — 不要意外混合 null 和值
使用模块 — 组织相关函数
外部命令加 ^ 前缀 — ^grep 而非 grep；Nushell 内置命令优先（例如，find 是 Nushell 的，而非 Unix find）
更快时使用外部工具 — 大文件搜索用 ^rg，巨型 JSON 用 ^jq

编写或审查 Nushell 代码时：

阅读现有代码 以理解上下文
安全审计 — 检查注入、路径遍历、凭据泄漏（参见安全）
检查命名 — kebab-case 命令，snake_case 变量
检查类型 — 添加/验证类型注解和 I/O 签名
检查字符串 — 遵循字符串格式优先级
检查模式 — 优先使用函数式管道而非命令式循环
检查格式化 — 间距、行长度、多行规则
检查文档 — 导出命令的注释、参数描述
检查错误处理 — try/catch、外部命令的 complete、验证输入
运行验证（如果可能）— nu -c 'source file.nu' 或 nu file.nu
总结更改，突出显示安全发现

安全 — 安全加固、威胁模型、安全模式
脚本审查 — 全面的审查清单
字符串格式 — 字符串类型优先级和转换规则
反模式 — 常见错误及详细修复
数据与类型系统 — 类型层次结构、集合、转换、类型守卫
高级模式 — 性能、流式处理、闭包、内存效率
模块与脚本 — 模块系统、测试、属性
Bash 转 Nushell — 从 Bash/POSIX 的转换指南

使用 nu -c 'help <command>' 检查命令签名和示例
使用 Nushell MCP 工具评估和测试 Nushell 代码
查阅 Nushell 手册获取深入文档

🇺🇸English

Nushell Pro — Best Practices & Security Skill

Write idiomatic, performant, secure, and maintainable Nushell scripts. This skill enforces Nushell conventions, catches security issues, and helps avoid common pitfalls.

Core Principles

Think in pipelines — Data flows through pipelines; prefer functional transformations over imperative loops
Immutability first — Use let by default; only use mut when functional alternatives don't apply
Structured data — Nushell works with tables, records, and lists natively; leverage structured data over string parsing
Static parsing — All code is parsed before execution; source/use require parse-time constants
Implicit return — The last expression's value is the return value; no need for echo or return
Scoped environment — Environment changes are local to their block; use def --env when caller-side changes are needed
Type safety — Annotate parameter types and input/output signatures for better error detection and documentation
Parallel ready — Immutable code enables easy par-each parallelization

Critical: Pipeline Input vs Parameters

Pipeline input ($in) is NOT interchangeable with function parameters!

# WRONG — treats pipeline data as first parameter
def my-func [items: list, value: any] {
    $items | append $value
}

# CORRECT — declares pipeline signature
def my-func [value: any]: list -> list {
    $in | append $value
}

# Usage
[1 2 3] | my-func 4  # Works correctly

Why this matters:

Pipeline input can be lazily evaluated (streaming)
Parameters are eagerly evaluated (loaded into memory)
Different calling conventions entirely — $list | func arg vs func $list arg

Type signature forms

def func [x: int] { ... }                    # params only
def func []: string -> int { ... }           # pipeline only
def func [x: int]: string -> int { ... }     # both pipeline and params
def func []: [list -> list, string -> list] { ... }  # multiple I/O types

Naming Conventions

Entity	Convention	Example
Commands	`kebab-case`	`fetch-user`, `build-all`
Subcommands	`kebab-case`	`"str my-cmd"`, `date list-timezone`
Flags	`kebab-case`	,

Prefer full words over abbreviations unless widely known (url ok, usr not ok)
Flag variable access replaces dashes with underscores: --all-caps -> $all_caps

Formatting Rules

One-line format (default for short expressions)

[1 2 3] | each {|x| $x * 2 }
{name: 'Alice', age: 30}

Multi-line format (scripts, >80 chars, nested structures)

[1 2 3 4] | each {|x|
    $x * 2
}

[
    {name: 'Alice', age: 30}
    {name: 'Bob', age: 25}
]

Spacing rules

One space before and after |
No space before |params| in closures: {|x| ...} not { |x| ...}
One space after : in records: {x: 1} not {x:1}
Omit commas in lists: [1 2 3] not [1, 2, 3]
No trailing spaces
One space after , when used (closure params, etc.)

Custom Commands Best Practices

Type annotations and I/O signatures

# Fully typed with I/O signature
def add-prefix [text: string, --prefix (-p): string = 'INFO']: nothing -> string {
    $'($prefix): ($text)'
}

# Multiple I/O signatures
def to-list []: [
    list -> list
    string -> list
] {
    # implementation
}

Documentation with comments and attributes

# Fetch user data from the API
#
# Retrieves user information by ID and returns
# a structured record with all available fields.
@example 'Fetch user by ID' { fetch-user 42 }
@category 'network'
def fetch-user [
    id: int           # The user's unique identifier
    --verbose (-v)    # Show detailed request info
]: nothing -> record {
    # implementation
}

Parameter guidelines

Maximum 2 positional parameters; use flags for the rest
Provide both long and short flag names: --output (-o): string
Use default values: def greet [name: string = 'World']
Use ? for optional positional params: def greet [name?: string]
Use rest params for variadic input: def multi-greet [...names: string]
Use def --wrapped to wrap external commands and forward unknown flags

Environment-modifying commands

def --env setup-project [] {
    cd project-dir
    $env.PROJECT_ROOT = (pwd)
}

Data Manipulation Patterns

Working with records

{name: 'Alice', age: 30}          # Create record
$rec1 | merge $rec2                # Merge (right-biased)
[$r1 $r2 $r3] | into record       # Merge many records
$rec | update name {|r| $'Dr. ($r.name)' }  # Update field
$rec | insert active true          # Insert field
$rec | upsert count {|r| ($r.count? | default 0) + 1 }  # Update or insert
$rec | reject password secret_key  # Remove fields
$rec | select name age email       # Keep only these fields
$rec | items {|k, v| $'($k): ($v)' }  # Iterate key-value pairs
$rec | transpose key val           # Convert to table

Working with tables

$table | where age > 25                          # Filter rows
$table | insert retired {|row| $row.age > 65 }   # Add column
$table | rename -c {age: years}                   # Rename column
$table | group-by status --to-table               # Group by field
$table | transpose name data                      # Transpose rows/columns
$table | join $other_table user_id                 # Inner join
$table | join --left $other user_id                # Left join

Working with lists

$list | enumerate | where {|e| $e.index > 5 }     # Filter with index
$list | reduce --fold 0 {|it, acc| $acc + $it }   # Accumulate
$list | window 3                                   # Sliding window
$list | chunks 100                                 # Process in batches
$list | flatten                                    # Flatten nested lists

Null safety

$record.field?                    # Returns null if missing (no error)
$record.field? | default 'N/A'   # Provide fallback
if ($record.field? != null) { }   # Check existence
$list | default -e $fallback      # Default for empty collections

Pipeline & Functional Patterns

Prefer functional over imperative

# Bad — imperative with mutable variable
mut total = 0
for item in $items { $total += $item.price }

# Good — functional pipeline
$items | get price | math sum

# Bad — mutable counter
mut i = 0
for file in (ls) { print $'($i): ($file.name)'; $i += 1 }

# Good — enumerate
ls | enumerate | each {|it| $'($it.index): ($it.item.name)' }

Iteration patterns

# each: transform each element
$list | each {|item| $item * 2 }

# each --flatten: stream outputs (turns list<list<T>> into list<T>)
ls *.txt | each --flatten {|f| open $f.name | lines } | find 'TODO'

# each --keep-empty: preserve null results
[1 2 3] | each --keep-empty {|e| if $e == 2 { 'found' } }

# par-each: parallel processing (I/O or CPU-bound)
$urls | par-each {|url| http get $url }
$urls | par-each --threads 4 {|url| http get $url }

# reduce: accumulate (first element is initial acc if no --fold)
[1 2 3 4] | reduce {|it, acc| $acc + $it }

# generate: create values from arbitrary sources without mut
generate {|state| { out: ($state * 2), next: ($state + 1) } } 1 | first 5

Row conditions vs closures

# Row conditions — short-hand syntax, auto-expands $it
ls | where type == file              # Simple and readable
$table | where size > 100            # Expands to: $it.size > 100

# Closures — full flexibility, can be stored and reused
let big_files = {|row| $row.size > 1mb }
ls | where $big_files
$list | where {$in > 10}             # Use $in or parameter

Use row conditions for simple field comparisons; use closures for complex logic or reusable conditions.

Pipeline input with $in

def double-all []: list<int> -> list<int> {
    $in | each {|x| $x * 2 }
}

# Capture $in early when needed later (it's consumed on first use)
def process []: table -> table {
    let input = $in
    let count = $input | length
    $input | first ($count // 2)
}

Variable Best Practices

Prefer immutability

let config = (open config.toml)
let names = $config.users | get name

# Acceptable — mut when no functional alternative
mut retries = 0
loop {
    if (try-connect) { break }
    $retries += 1
    if $retries >= 3 { error make {msg: 'Connection failed'} }
    sleep 1sec
}

Constants for parse-time values

const lib_path = 'src/lib.nu'
source $lib_path                  # Works: const is resolved at parse time

let lib_path = 'src/lib.nu'
source $lib_path                  # Error: let is runtime only

Closures cannot capture mut

mut count = 0
ls | each {|f| $count += 1 }     # Error! Closures can't capture mut

# Solutions:
ls | length                       # Use built-in commands
[1 2 3] | reduce {|x, acc| $acc + $x }  # Use reduce
for f in (ls) { $count += 1 }    # Use a loop if mutation truly needed

String Conventions

Refer to String Formats Reference for the full priority and rules.

Quick summary (high to low priority):

Bare words in arrays: [foo bar baz]
Raw strings for regex: r#'(?:pattern)'#
Single quotes: 'simple string'
Single-quoted interpolation: $'Hello, ($name)!'
Double quotes only for escapes: "line1\nline2"
Double-quoted interpolation: $"tab:\t($value)\n" (only with escapes)

Modules & Scripts

Module structure

my-module/
├── mod.nu              # Module entry point
├── utils.nu            # Submodule
└── tests/
    └── mod.nu          # Test module

Export rules

Only export definitions are public; non-exported are private
Use export def main when command name matches module name
Use export use submodule.nu * to re-export submodule commands
Use export-env for environment setup blocks

Script with main command and subcommands

#!/usr/bin/env nu

# Build the project
def "main build" [--release (-r)] {
    print 'Building...'
}

# Run tests
def "main test" [--verbose (-v)] {
    print 'Testing...'
}

def main [] {
    print 'Usage: script.nu <build|test>'
}

For stdin access in shebang scripts: #!/usr/bin/env -S nu --stdin

Error Handling

Custom errors with span info

def validate-age [age: int] {
    if $age < 0 or $age > 150 {
        error make {
            msg: 'Invalid age value'
            label: {
                text: $'Age must be between 0 and 150, got ($age)'
                span: (metadata $age).span
            }
        }
    }
    $age
}

try/catch and graceful degradation

let result = try {
    http get $url
} catch {|err|
    print -e $'Request failed: ($err.msg)'
    null
}

# Use complete for detailed external command error info
let result = (^some-external-cmd | complete)
if $result.exit_code != 0 {
    print -e $'Error: ($result.stderr)'
}

Suppress errors with `do -i`

do -i (ignore errors) runs a closure and suppresses any errors, returning null on failure. do -c (capture errors) catches errors and returns them as values.

# Ignore errors — returns null if the closure fails
do -i { rm non_existent_file }

# Use as a concise fallback
let val = (do -i { open config.toml | get setting } | default 'fallback')

# Capture errors as values (instead of aborting the pipeline)
let result = (do -c { ^some-cmd })

When to use each approach:

do -i — Fire-and-forget, or when you only need a default on failure
do -c — Catch errors as values to abort downstream pipeline on failure
try/catch — When you need to inspect or log the error
complete — When you need exit code + stdout + stderr from external commands

Testing

Using std assert

use std/assert

for t in [[input expected]; [0 0] [1 1] [2 1] [5 5]] {
    assert equal (fib $t.input) $t.expected
}

Custom assertions

def "assert even" [number: int] {
    assert ($number mod 2 == 0) --error-label {
        text: $'($number) is not an even number'
        span: (metadata $number).span
    }
}

Debugging Techniques

$value | describe                 # Inspect type
$data | each {|x| print $x; $x } # Print intermediate values (pass-through)
timeit { expensive-command }      # Measure execution time
metadata $value                   # Inspect span and other metadata

Security Best Practices

Refer to Security Reference for the full guide.

Nushell is safer than Bash by design (no eval, arguments passed as arrays not through shell), but security risks remain.

Never execute untrusted input as code

# DANGEROUS — arbitrary code execution
^nu -c $user_input
source $user_provided_file

# DANGEROUS — shell interprets the string
^sh -c $'echo ($user_input)'
^bash -c $user_input

Separate commands from arguments (prevent injection)

# Bad — constructing command strings
let cmd = $'ls ($user_path)'
^sh -c $cmd

# Good — pass arguments directly (no shell interpretation)
^ls $user_path
run-external 'ls' $user_path

Validate and sanitize paths

# Bad — path traversal possible
def read-file [name: string] { open $name }

# Good — validate against traversal
def read-file [name: string, --base-dir: string = '.'] {
    let full = ($base_dir | path join $name | path expand)
    let base = ($base_dir | path expand)
    if not ($full | str starts-with $base) {
        error make {msg: $'Path traversal detected: ($name)'}
    }
    open $full
}

Protect credentials

# Bad — credential visible to all child processes and in env
$env.API_KEY = 'secret-key-123'
^curl -H $'Authorization: Bearer ($env.API_KEY)' $url

# Good — scope credentials, use with-env
with-env {API_KEY: (open ~/.secrets/api_key | str trim)} {
    ^curl -H $'Authorization: Bearer ($env.API_KEY)' $url
}

Safe file operations

# Bad — predictable temp file, race condition
let tmp = '/tmp/my-script-tmp'
'data' | save $tmp

# Good — use mktemp for unique temp files
let tmp = (^mktemp | str trim)
'data' | save $tmp
# ... use $tmp ...
rm $tmp

Handle external command errors

let result = (^cargo build o+e>| complete)
if $result.exit_code != 0 {
    error make {msg: $'Build failed: ($result.stderr)'}
}

Safe rm operations

# Bad — glob from variable, could match unintended files
^rm $'($user_dir)/*'

# Good — validate then use trash or explicit paths
if ($user_dir | path type) == 'dir' {
    rm -r $user_dir
}

Script Review Checklist

Refer to Script Review Reference for the full checklist.

When reviewing a Nushell script, check these categories in order:

1. Security review (highest priority)

No nu -c / source / ^sh -c with untrusted input
No credential hardcoding or env leaking
Paths from user input are validated (no traversal)
External commands use argument separation (not string concatenation)
Temp files use mktemp, not predictable paths
rm operations are guarded and intentional

2. Correctness review

Type annotations on all exported commands
I/O pipeline signatures match actual behavior
Error handling with try/catch for fallible operations
External commands checked with complete when error handling matters
Optional fields accessed with ? operator
No for as final expression (use each instead)
mut not captured in closures

3. Style review

Naming: kebab-case commands, snake_case variables
String format priority followed
Formatting: spacing, line length, multi-line rules
Documentation comments on exported commands
^ prefix on external commands
Functional style preferred over imperative

4. Performance review

par-each for I/O or CPU-bound parallel work
each --flatten for streaming when appropriate
Expensive computations cached in let bindings
Large files streamed (lazy), not loaded entirely

Common Pitfalls

Refer to Anti-Patterns Reference for detailed explanations.

Anti-Pattern	Fix
`echo $value`	Just `$value` (implicit return)
`$"simple text"`	`'simple text'` (no interpolation needed)
`for` as final expression	Use `each` (for doesn't return a value)
`mut` for accumulation	Use `reduce` or

Best Practices Summary

Use type signatures — Catch errors early, improve documentation
Prefer pipelines — More idiomatic, composable, and streamable
Document with comments — # above def for help integration
Export selectively — Don't pollute namespace
Usedefault — Handle null/missing gracefully
Validate inputs — Check types/ranges at function start
Return consistent types — Don't mix null and values unexpectedly
Use modules — Organize related functions
Prefix external commands with^ — ^grep not grep; Nushell builtins take precedence (e.g., find is Nushell's, not Unix )

Workflow

When writing or reviewing Nushell code:

Read existing code to understand the context
Security audit — Check for injection, path traversal, credential leaks (see Security)
Check naming — kebab-case commands, snake_case variables
Check types — Add/verify type annotations and I/O signatures
Check strings — Follow the string format priority
Check patterns — Prefer functional pipelines over imperative loops
Check formatting — Spacing, line length, multi-line rules
Check documentation — Comments for exported commands, parameter descriptions
Check error handling — try/catch, complete for externals, validate inputs
Run validation if possible — nu -c 'source file.nu' or nu file.nu
Summarize changes made with security findings highlighted

References

Security — Security hardening, threat model, safe patterns
Script Review — Comprehensive review checklist
String Formats — String type priority and conversion rules
Anti-Patterns — Common mistakes with detailed fixes
Data & Type System — Type hierarchy, collections, conversions, type guards
Advanced Patterns — Performance, streaming, closures, memory efficiency
Modules & Scripts — Module system, testing, attributes
Bash to Nushell — Conversion guide from Bash/POSIX

Getting Help

Use nu -c 'help <command>' to check command signatures and examples
Use Nushell MCP tools for evaluating and testing Nushell code
Consult the Nushell Book for in-depth documentation

Weekly Installs

294

Repository

hustcer/nushell-pro

GitHub Stars

First Seen

Mar 1, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

claude-code283

opencode272

codex272

cursor272

gemini-cli24

github-copilot24

Use external tools when faster — ^rg for large file search, ^jq for giant JSON

Nushell Pro 最佳实践与安全指南 - 编写高性能、可维护的 Nushell 脚本

🇨🇳中文介绍

Nushell Pro — 最佳实践与安全技能

核心原则

相关 Skills

关键点：管道输入与参数

类型签名形式

命名约定

格式化规则

单行格式（短表达式的默认格式）

多行格式（脚本、>80 字符、嵌套结构）

间距规则

自定义命令最佳实践

类型注解和 I/O 签名

使用注释和属性的文档

参数指南

修改环境的命令

数据操作模式

处理记录

处理表格

处理列表

空值安全

管道与函数式模式

优先使用函数式而非命令式

迭代模式

行条件与闭包

使用 $in 的管道输入

变量最佳实践

优先使用不可变性

解析时常量

闭包不能捕获 mut

字符串约定

模块与脚本

模块结构

导出规则

带有主命令和子命令的脚本

错误处理

带有跨度信息的自定义错误

try/catch 和优雅降级

使用 do -i 抑制错误

测试

使用 std assert

自定义断言

调试技术

安全最佳实践