Comment by magimas
12 hours ago
but this seems quite overkill no?
I currently run pi agent in Lima on a Mac with only the code project folder mounted and an extension that prevents pi agent from reading the contents of .env files directly.
Yeah, there probably are some freak situations where this isn't safe enough, but I don't really see any realistic ways this is going to end up badly. Am I overlooking some obvious security holes?
I designed it to provide a single interface to agent sandboxing, no matter how far up the security tower you want to go.
It eliminates the manual process steps you end up doing with an ad-hoc system (which gets old the 10th time you do it).
Common weak points:
- The agent can access your homedir.
- The agent can access .gitignored files, which can contain secrets (and are gitignored for this reason).
- The agent has r/w access to your workdir.
- The agent could follow your remote mounted dirs.
- The agent can act in your name with whatever credentials it finds (and it will use them when it tries to be helpful, especially with the gh tool).
- Do you even know what's in the diagnose_problem.sh file it just created and asked permission to run?
- Even the .git dir can be weaponized, such as with evil filters.
- The agent can edit its own process, bypassing the harness controls and giving it the same access as you have (amplified by each credential sitting on that machine).
Meanwhile, you're reflex-hitting ENTER without looking because 99% of the permission prompts are mundane.
And that's before you even get to all of the idiosyncrasies in the backends that will eventually trip you up. The list is quite large and continually growing: https://github.com/kstenerud/yoloai/blob/main/docs/contribut...