Trust & Security
Applies to SDK 0.16+ · Last updated: 2026-06-12
Trust is not binary. AgentNode provides a layered trust model where every pack has a clear, auditable trust level that progresses over time through verification, community usage, and manual review.
The four trust levels
Unverified
Newly published pack. Metadata has been validated and the manifest is syntactically correct, but no further review has been performed. Use with caution in production.
Verified
Publisher identity has been confirmed. The pack passes automated security scans (Bandit), and its declared permissions are consistent with actual behavior. Publisher has 2FA enabled.
Trusted
Security scanned with zero findings, tests pass, active maintenance history, meaningful community usage, and no reported issues. The pack has demonstrated reliability over time.
Curated
Manually reviewed by the AgentNode team. Code has been audited, permissions verified against actual behavior, and the pack meets the highest quality bar. This is the highest assurance level in the registry.
How to progress through trust levels
| From | To | Requirements |
|---|---|---|
| Unverified | Verified | Confirm publisher identity, enable 2FA, pass Bandit security scan, permissions match declared behavior |
| Verified | Trusted | Zero security findings, tests pass, active maintenance, community usage, no unresolved reports |
| Trusted | Curated | Manual review by AgentNode team, code audit, permissions verification, documentation review |
Security scanning
Every pack published to the registry undergoes automated security scanning:
- Bandit analysis -- static analysis for common Python security issues (hardcoded passwords, SQL injection, insecure deserialization, etc.)
- Ed25519 signatures -- every published pack is signed with the publisher's key. Install-time verification ensures the pack has not been tampered with after publication.
- Typosquatting detection -- the registry detects package names that are suspiciously similar to popular packs (e.g.,
pdf-reeder-packvs.pdf-reader-pack) and flags them for manual review. - Hash verification -- SHA-256 hashes are computed at publish time and verified at install time. If the hash does not match, the installation is aborted.
The permission model
Every pack must explicitly declare its permissions across four dimensions. Agents and users see the full permission manifest before installation, and the resolution engine can filter by permission constraints.
| Dimension | Levels | Description |
|---|---|---|
| Network | none, restricted, unrestricted | What network access the pack requires. "none" means no outbound calls. "restricted" means specific domains only. "unrestricted" means any network access. |
| Filesystem | none, temp, read, write | What file system access the pack requires. "temp" means temporary directory only. "read" means it reads files. "write" means it reads and writes. |
| Code Execution | none, sandboxed, full | Whether the pack executes arbitrary code. "sandboxed" means restricted execution environment. "full" means unrestricted. |
| Data Access | input_only, output_only, bidirectional | The direction of data flow. "input_only" means the pack reads input but does not send data externally. "bidirectional" means it both receives and sends data. |
Inspecting a package
Use agentnode info and agentnode policy-check to review a package's trust level, permissions, and whether it meets your policy constraints before installation.
$ agentnode info pdf-reader-pack
$ agentnode policy-check pdf-reader-pack --trust trusted --no-network