Agentlas
Agentlas
← Back to app
Security model

Agentlas security model

Two different security questions come up: is the agent I'm about to publish safe to share, and is the agent someone else built safe for me to run. Agentlas has a separate, deterministic check for each.

Publish scan: is this agent safe to share?

Every publish runs a deterministic scanner across the agent's files — not an LLM judgment call. Nine risk categories: hardcoded secrets (AWS keys, GitHub PATs, OpenAI/Stripe/Slack tokens), curl|bash remote execution, obfuscated payloads, destructive shell commands, credential exfiltration patterns, overly broad permissions, prompt-injection vectors, committed .env files, and unsigned network tools.

Critical finding
Publish is blocked entirely. Nothing ships until it's fixed.
Warning finding
Publish is allowed with a visible caution badge on the profile.
Clean scan
The agent ships with a verified-safe badge.

Audit: is this agent safe to run?

The reverse direction matters just as much: importing a public GitHub repo or someone else's ZIP. The Audit tool background-checks third-party agents the same way — scanning for secrets, unsafe code, risky permissions, prompt-injection vectors, and memory-poisoning patterns before you trust the package on your machine. Source code is scanned and discarded; only the manifest is kept.

Loop guards, not just secret scanning

Every published agent also ships with a 'Loop guards' section written directly into its markdown: no self-invocation, a 3-retry cap on identical tool calls, a 25-tool-call-per-turn cap, a 5xx circuit breaker, and a 30-second webhook timeout with no auto-retry on an empty 2xx body. These are instructions the host runtime (Claude Code, Codex, Gemini CLI, Cursor) follows — a design and instruction-level protection, not a hard sandbox lock, since Agentlas does not host the runtime itself.

NOTE · Open engine, not a closed scanner

The Agent OS underneath Agentlas — Hephaestus — is Apache-2.0 licensed and public on GitHub. Its Stormbreaker subsystem (scope locks, verifier-first plans, bounded evidence loops, final proof) and A2A Boundary (inter-agent isolation with caller-gated invocation) are inspectable code, not a black-box claim.

Background-check a public agent
Paste a GitHub URL or upload a ZIP before you trust it.
Agentlas security model · Agentlas docs