AgentOS Security

AgentOS Core is released under the Apache License 2.0 with extensions and community agents under the MIT License. The entire codebase is publicly available for review, audit, and contribution. This transparency means every line of code that handles tool execution, credential access, and guardrail enforcement can be independently verified.

Security improvements are welcomed through pull requests on GitHub.

AgentOS ships with a configurable security tier system that controls how much autonomy an agent is granted. Operators choose one of five named presets when deploying an agent:

• Dangerous — no restrictions; intended only for isolated development sandboxes where the operator accepts full risk.
• Permissive — most tools enabled with minimal guardrails. Suitable for trusted internal workloads.
• Balanced — the recommended default. High-risk tools (shell, filesystem) require explicit allowlisting; injection detection is active.
• Strict — only pre-approved tools may execute; all tool calls are logged and auditable.
• Paranoid — the most restrictive tier. Every tool invocation requires human-in-the-loop approval before execution. Designed for sensitive or compliance-heavy environments.

The active tier can be changed at runtime via agent configuration. See the Guardrails documentation for full details.

The built-in PII Redaction extension scans inbound and outbound messages for personally identifiable information (email addresses, phone numbers, national ID patterns, credit card numbers, and more). When detected, PII is masked before the data reaches the LLM provider or downstream tool, reducing the risk of accidental data leakage.

PII redaction runs as an extension and can be enabled or disabled per agent. Custom regex patterns can be added for domain-specific identifiers.

Tools in AgentOS execute within a permission boundary defined by the active security tier. The tool orchestrator enforces allowlists, denylists, and rate limits before any tool code runs. High-risk tools (filesystem writes, shell commands, network requests) are gated behind explicit operator approval at Balanced tier and above.

Emergent tools — tools that agents generate at runtime — are subject to the same security tier restrictions and cannot bypass the allowlist.

AgentOS treats all tool output and external input as untrusted data. The guardrails pipeline includes injection and jailbreak detection that analyses messages before they reach the LLM. When a potential injection is detected, the request is blocked or flagged for human review, depending on the active security tier.

Operators can tune detection sensitivity and add custom patterns to match domain-specific attack vectors.

We welcome responsible disclosure of security vulnerabilities from researchers and community members.

• Report vulnerabilities to [email protected].
• We commit to acknowledging reports within 48 hours and will work with you to understand and resolve the issue.
• We will not take legal action against researchers who discover and report vulnerabilities in good faith.
• Please allow us reasonable time to investigate and remediate before any public disclosure.