ArgentOSDocs

Security Overview

How ArgentOS protects your system — sandboxing, authentication, and secret management.

Overview

ArgentOS gives an AI agent significant power over your system -- command execution, file access, web browsing, and network communication. Security is built into every layer to ensure this power is used responsibly.

Security Layers

1. Sandboxing

Control what tools the agent can use and what operations require approval. See Sandboxing.

2. Authentication

Multiple authentication mechanisms protect different parts of the system. See Authentication.

3. Secret Management

Secure handling of API keys, tokens, and credentials. See Secrets.

Threat Model

ArgentOS considers these threat vectors:

ThreatMitigation
Agent executing harmful commandsSandboxing, tool policies, approval workflows
Unauthorized gateway accessGateway auth tokens, network restrictions
API key exposureLocal-only storage, file permissions
Memory data leakageLocal SQLite, no external transmission
Channel impersonationUser allowlists, channel pairing

Default Security Posture

Out of the box, ArgentOS ships with:

  • Sandboxed mode for tool execution
  • Gateway auth enabled
  • Localhost-only binding (no remote access by default)
  • User allowlists empty (allows all, but easy to restrict)
  • API keys stored with user-only file permissions

Security Best Practices

  1. Enable gateway authentication -- Always use an auth token
  2. Use sandboxed mode -- Require approval for destructive operations
  3. Restrict channel access -- Set allowedUsers on each channel
  4. Use Tailscale for remote access -- Never expose the gateway directly to the internet
  5. Rotate API keys periodically
  6. Monitor gateway logs for unusual activity
  7. Keep ArgentOS updated for security patches

Principle of Least Privilege

Configure each agent with the minimum tools and permissions it needs:

  • Customer-facing agents: locked mode, no exec, no browser
  • Personal agents: sandboxed mode, approval for destructive ops
  • Development agents: unrestricted (controlled environment only)

Reporting Security Issues

Report security vulnerabilities to [email protected]. Do not open public issues for security reports.

Remote Access

Access your ArgentOS gateway remotely via Tailscale, SSH tunnels, or reverse proxies.

Sandboxing

Control what your agent can do with sandboxing modes and tool policies.

On this page

OverviewSecurity Layers1. Sandboxing2. Authentication3. Secret ManagementThreat ModelDefault Security PostureSecurity Best PracticesPrinciple of Least PrivilegeReporting Security Issues