Skip to main content

Security & Trust for AgentNode

AgentNode runs third-party tool code on your own machine, not ours. Untrusted, community-tier code runs inside a hardened container — or not at all (fail-closed). Trusted and curated code runs host-side under policy checks. Your API keys stay in the OS keychain, and tool data never reaches our servers.

Is AgentNode safe?

AgentNode is built so that untrusted code cannot quietly run with your privileges. Community-tier packages run inside a hardened container or are refused (fail-closed); trusted and curated code runs host-side under policy checks; and your data and credentials stay on your machine. How safe it is in practice depends on your setup — running the local sandbox and keeping a sensible minimum trust level.

Does AgentNode sandbox community code?

Yes. Verified, unverified, and unknown-tier code runs in a hardened container — read-only filesystem, non-root user, dropped Linux capabilities, network off by default — or not at all. There is no silent fallback to host execution. It requires Docker or Podman plus the digest-pinned image; trusted and curated packages run host-side instead.

Where do API keys go?

Into your operating-system keychain via agentnode auth — never into sandboxed code. When a sandboxed agent needs an LLM, a host-side broker makes the call, so the provider key never enters the container, audit records, manifests, or lockfiles.

Can teams enforce policies?

Yes. A minimum trust level, the Guard policy engine (allow / prompt / deny per action), input inspection, rate limits, and lockfile-integrity checks all run locally and fail closed. In CI or non-interactive contexts, any prompt escalates to a denial.

Defense in depth

Trust is layered across the lifecycle of a package — from publish to runtime to your data.

Before publish

Verification

Every package version is tested — install, import, smoke test, unit tests — and scored before it earns a trust tier.

Package verification →

At publish

Integrity

Publisher Ed25519 signatures (an invalid signature blocks install), SHA-256 hashes, Bandit security scanning, and typosquatting detection.

Trust & security →

At runtime

Isolation & policy

Untrusted community code runs in a hardened container or not at all. Guard adds action policy, input inspection, and rate limits on every call.

Sandbox →Guard →

Your data

Local-first

Tools run on your machine; tool data, prompts, and telemetry never reach our servers. Credentials live in your OS keychain, and sandboxed agents use a host-side LLM broker.

Data sovereignty →Credentials →

Trust tiers

Every package version carries a trust level, and enforcement differs by tier: community tiers are sandboxed or refused, while vetted tiers run host-side under policy checks by default — and a user-controlled host-trust policy lets you sandbox them too.

Unverified

Metadata validated only. Sandboxed or fail-closed at runtime.

Verified

Publisher confirmed, passes security scans. Sandboxed at runtime.

Trusted

Proven reliability over time. Runs host-side by default — sandboxed under a stricter host-trust policy.

Curated

Manually reviewed by AgentNode. Highest assurance; runs host-side (sandboxed only under host_trust_policy=none).

Details per tier: Security model and Execution sandbox.

For teams and companies

AgentNode is designed to be governed before it is rolled out across agents:

See AgentNode Guard and the security model.

Honest limits

We document the boundaries plainly — trust is earned by being precise, not by overclaiming.

Full detail: Execution sandbox.

Next steps

Found a vulnerability? Email security@agentnode.net. The code is open on GitHub.