| Version | Supported |
|---|---|
| 0.1.x | Yes |
agentsh is designed to be safe by default:
- No subprocess calls — the shell never spawns real processes
- No real filesystem access — all I/O goes through the in-memory VFS
- No network access — no HTTP, no sockets, no DNS
- Policy engine — commands and paths can be allow-listed or denied
However, agentsh does not provide VM-level isolation. It runs in the same Python process as the caller. It is a virtual environment, not a sandbox.
If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue
- Email opensource@mayflower.de with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- We will acknowledge receipt within 48 hours
- We will provide a fix timeline within 7 days
Security issues we care about:
- Escaping the virtual filesystem to access real files
- Executing real system commands via any code path
- Bypassing the policy engine
- Denial of service via resource exhaustion (unbounded loops, memory)
Out of scope:
- Issues that require the attacker to control the Python host process
- Performance issues that don't lead to resource exhaustion