From 3eb7dc73b788d158a00a888d3f4c4a30b18c88db Mon Sep 17 00:00:00 2001
From: Jeon Suyeol <devxoul@gmail.com>
Date: Wed, 11 Feb 2026 18:50:51 +0900
Subject: [PATCH] block remote URLs in look-at file_path validation

---
 src/tools/look-at/look-at-arguments.ts |  3 +++
 src/tools/look-at/tools.test.ts        | 27 ++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/src/tools/look-at/look-at-arguments.ts b/src/tools/look-at/look-at-arguments.ts
index dc98f6925..4a2d978fb 100644
--- a/src/tools/look-at/look-at-arguments.ts
+++ b/src/tools/look-at/look-at-arguments.ts
@@ -16,6 +16,9 @@ export function validateArgs(args: LookAtArgs): string | null {
   const hasFilePath = Boolean(args.file_path && args.file_path.length > 0)
   const hasImageData = Boolean(args.image_data && args.image_data.length > 0)
 
+  if (hasFilePath && /^https?:\/\//i.test(args.file_path!)) {
+    return "Error: Remote URLs are not supported for file_path. Download the file first or use a local path."
+  }
   if (!hasFilePath && !hasImageData) {
     return `Error: Must provide either 'file_path' or 'image_data'. Usage:
 - look_at(file_path="/path/to/file", goal="what to extract")
diff --git a/src/tools/look-at/tools.test.ts b/src/tools/look-at/tools.test.ts
index 8f97ea238..bb71703bc 100644
--- a/src/tools/look-at/tools.test.ts
+++ b/src/tools/look-at/tools.test.ts
@@ -108,6 +108,33 @@ describe("look-at tool", () => {
       expect(error).toContain("file_path")
       expect(error).toContain("image_data")
     })
+
+    // given file_path is a remote HTTP URL
+    // when validated
+    // then return error about remote URLs not supported
+    test("returns error when file_path is an http:// URL", () => {
+      const args = { file_path: "http://example.com/image.png", goal: "analyze" }
+      const error = validateArgs(args)
+      expect(error).toContain("Remote URLs are not supported")
+    })
+
+    // given file_path is a remote HTTPS URL
+    // when validated
+    // then return error about remote URLs not supported
+    test("returns error when file_path is an https:// URL", () => {
+      const args = { file_path: "https://example.com/document.pdf", goal: "extract text" }
+      const error = validateArgs(args)
+      expect(error).toContain("Remote URLs are not supported")
+    })
+
+    // given file_path is a remote URL with mixed case scheme
+    // when validated
+    // then return error (case-insensitive check)
+    test("returns error when file_path is a remote URL with mixed case", () => {
+      const args = { file_path: "HTTPS://Example.com/file.png", goal: "analyze" }
+      const error = validateArgs(args)
+      expect(error).toContain("Remote URLs are not supported")
+    })
   })
 
   describe("createLookAt error handling", () => {