Security
CrabCode's security model: trusted directories, permission modes, Bypass risk, secret redaction.
What it is
CrabCode treats the cwd and external inputs conservatively by default:
- Asks "Trust this directory?" at startup
- Dangerous ops (writes outside the project, shell execution, network) require confirmation by default
/bugreports and logs automatically redact API keys, AWS/GCP credentials,Authorizationheaders, etc.
When you see this doc
- First launch /
/initOnboarding — the Trust dialog - When changing permission modes
- The "external include" warning on CRABCODE.md
- Before using
/bugto report an issue
Trusted directories
If the cwd isn't trusted yet, CrabCode shows the Trust dialog at startup:
- Trust — add to allow-list; never asks again for this directory or its descendants
- Don't trust — drop the session to read-only
- Trust state is kept in your user config, keyed by project path
Don't blanket-trust: an unfamiliar repo can plant prompt injection in CRABCODE.md / AGENTS.md.
Permission modes
CrabCode runs both an app-level permission layer and an OS-level sandbox:
| Axis | Permission mode (app) | Sandbox (OS) |
|---|---|---|
| Enforcer | CrabCode self-check + prompt | Kernel rejects out-of-bounds syscalls |
| Off name | bypassPermissions | enabled: false |
| Relation | Independent — with the sandbox on, even an app-level bypass can't cross the OS boundary |
Permission modes:
default— prompt for dangerous ops (recommended)acceptEdits— auto-approve editsplan— plan only, no actionbypassPermissions— skip every confirmation (high risk)auto— built-in classifier decides pass/ask/deny (requires the relevant feature flag)
See iam and sandboxing.
Bypass mode (high risk)
crabcode --permission-mode bypassPermissionscrabcode --permission-mode bypassPermissionsCrabCode will read, write, and execute without asking. Only use it when you fully trust the task:
- CI running a fixed batch
- Throwaway-container demos
Orgs can lock the mode out entirely in settings.json:
{
"permissions": {
"disableBypassPermissionsMode": "disable"
}
}{
"permissions": {
"disableBypassPermissionsMode": "disable"
}
}With this, even a CLI flag won't bring bypass mode up.
Secret redaction
/bug reports, crabcode --debug logs, and error reports auto-redact:
- API-key-shaped tokens (common prefixes)
- AWS access keys (
AKIA...etc.) - GCP service-account credentials
- HTTP
Authorization/x-api-keyheaders - Env var values whose names contain
*_TOKEN/*_SECRET/*_PASSWORD
Redaction happens before text hits disk or the network; in-process memory still holds plaintext.
CRABCODE.md external includes
CRABCODE.md supports @./other.md to inline another file's content. Including files outside the project (e.g. @~/.dotfiles/...) triggers a warning dialog — it's a potential prompt-injection entry point.
Mitigations:
- Inline the prompt content directly into the project
CRABCODE.md - Or audit the source of the external file and approve the include explicitly
Credentials and transport
- All traffic between CrabCode and the acosmi gateway is over HTTPS
- Login tokens live in your OS keychain (macOS Keychain / Linux secret service / Windows Credential Manager); when unavailable, CrabCode falls back to an encrypted local file
- Multiple windows share one token; refresh races are handled by the SDK
- After CrabCode exits, no plaintext prompts or tool calls remain on disk unless you opted into
--debuglog files
Limits and caveats
/bugships the transcript: redaction helps, but don't put secrets in chat- MCP servers are black boxes: audit any HTTP MCP before allowing it to read your data
- Hook commands run as your shell user — equivalent to local code execution; audit third-party hooks and plugins before installing
- Shared CI runners — combine the sandbox with
bypassPermissionslocked out
Reporting security issues
Reach us through the acosmi.com or acosmi.ai contact pages. For sensitive disclosures, include a reproduction and impact estimate; we prioritize accordingly.