Security
agentpad runs real processes on your machine with the user’s privileges. It is a convenience layer for agents and automation, not a sandbox.
What agentpad enforces
cwdpassed torun()must resolve inside the workspace (effectiveRoot/effective_root); otherwise it throws.- Read-only mode blocks writes through the library’s filesystem helpers; it does not stop a shell command from redirecting to arbitrary paths unless you control the command.
- Timeouts send SIGKILL after the configured timeout (per engine implementation).
What it does not enforce
- No seccomp, no containers, no VM—bash/python/node can invoke any binary on
PATH.
- SQL uses the host’s
sqlite3CLI with the process environment you supply.
- Overlay still executes with full user permissions;
apply()overwrites files in the real root.
Recommendations
- Run agents under a dedicated OS user or container with minimal filesystem access.
- Prefer read-only or overlay when exploring untrusted code; review before
apply(). - Set tight timeouts and output limits for untrusted workloads.
- Do not expose
Runtimedirectly over the public internet without an additional security boundary.
Dependency note
The npm package depends on minimatch for glob handling only; execution uses Node child_process.