Skip to content

Security Guide

The honest baseline

Third-party skills can instruct your agent to run arbitrary commands. Skills run with your agent's full permissions and there is no sandbox by default (background: Snyk ToxicSkills). No static scanner reliably catches malicious prompts — so IpMan's current posture is transparency over theater.

What IpMan does today

  • No silent installs. Every ipman add prints the source, the pinned commit and the skill directory, plus a reminder to review third-party skills before use.
  • Pinning as protection. Pinned mode links an immutable worktree at a recorded commit — upstream can't silently change what your agent runs. ip.lock's tree hash lets ipman doctor detect content drift.
  • Review before trust. The skill source sits in plain sight in the store (~/.ipman/store/...); read the SKILL.md and scripts before you rely on them.
  • Explicit updates. ipman update is per-project and deliberate; nothing auto-updates behind your back (except skills you explicitly put in --live mode).

What's dormant

Earlier releases shipped a risk-assessment engine (LOW/MEDIUM/HIGH/EXTREME levels), four security modes (permissive/default/cautious/strict), a security log and IpHub threat reporting. That code still exists behind the hidden legacy install command, but it is dormant and unmaintained for now — static scanning gave both false confidence and false alarms, and the project's focus moved to the core workflow. If real usage shows demand, it returns as an opt-in add-time check.

See Dormant Features for the full list.