Security Audit
Instructions
- •
Command Execution Review (
backend/main.py):- •Check
run_terminal_command()for shell injection vulnerabilities - •Verify timeout is enforced (should be 15 seconds)
- •Look for dangerous command patterns
- •Check
- •
Tool Permission Review:
- •Verify Chat mode only allows:
read_file,web_search - •Check Agent mode tool restrictions
- •Look for permission bypass vulnerabilities
- •Verify Chat mode only allows:
- •
Secrets Management:
- •Ensure
.envis in.gitignore - •Check no API keys are hardcoded
- •Verify
python-dotenvusage for environment variables
- •Ensure
- •
WebSocket Security:
- •Check for authentication on
/wsendpoint - •Review message validation
- •Look for injection points in user input
- •Check for authentication on
- •
Frontend Security:
- •Check for XSS in markdown rendering
- •Review image upload handling (base64 encoding)
- •Verify no sensitive data in client-side code
- •
Generate report with:
- •Critical issues (immediate action required)
- •Warnings (should fix before production)
- •Recommendations (best practices)
Examples
- •"Run a security audit"
- •"Check for vulnerabilities"
- •"Review security before deploy"
Guardrails
- •This is a READ-ONLY audit; do not modify files
- •Report findings without exploiting vulnerabilities
- •Recommend fixes but get user approval before implementing
- •Never log or expose discovered secrets