Security Guide
The honest baseline
Third-party skills can instruct your agent to run arbitrary commands. Skills run with your agent's full permissions and there is no sandbox by default (background: Snyk ToxicSkills). No static scanner reliably catches malicious prompts — so IpMan's current posture is transparency over theater.
What IpMan does today
- No silent installs. Every
ipman addprints the source, the pinned commit and the skill directory, plus a reminder to review third-party skills before use. - Pinning as protection. Pinned mode links an immutable worktree at a
recorded commit — upstream can't silently change what your agent runs.
ip.lock's tree hash letsipman doctordetect content drift. - Review before trust. The skill source sits in plain sight in the store
(
~/.ipman/store/...); read the SKILL.md and scripts before you rely on them. - Explicit updates.
ipman updateis per-project and deliberate; nothing auto-updates behind your back (except skills you explicitly put in--livemode).
What's dormant
Earlier releases shipped a risk-assessment engine (LOW/MEDIUM/HIGH/EXTREME
levels), four security modes (permissive/default/cautious/strict), a security
log and IpHub threat reporting. That code still exists behind the hidden
legacy install command, but it is dormant and unmaintained for now —
static scanning gave both false confidence and false alarms, and the project's
focus moved to the core workflow. If real usage shows demand, it returns as an
opt-in add-time check.
See Dormant Features for the full list.