Sharing and Security

Sharing and Security

Sharing Your Agent

By default, only you (the owner) can message your agent. To let others use it, manage the allowlist:

# See who has access mutiro agents allowlist get # Allow a specific user mutiro agents allow # Deny a specific user mutiro agents deny # Allow multiple users at once mutiro agents allowlist set alice bob charlie # Open to everyone (use with caution) mutiro agents allowlist set "*" # Reset to owner-only mutiro agents allowlist set # Add or remove from the current list mutiro agents allowlist add mutiro agents allowlist remove

Security Model

Security depends on two things multiplied together:

1. Exposure — who can talk to the agent?

Every message, file, image, or forwarded content is a potential prompt injection vector.

Who talks to it Risk
Only you Low — but you still forward content from elsewhere
Trusted friends/team Medium — they may unknowingly forward hostile content
Anyone (open access) High — treat all input as adversarial

2. Blast radius — what can the agent do if tricked?

Capability Risk Why
Read-only Low Can only search and report back
Writes to files Medium Could poison files that persist
Writes to memory Medium-High memory_write persists across ALL future conversations
Sends messages Medium Could be used to phish or spam
Runs shell commands Critical bash, process, code bypass every safeguard

These multiply. High exposure + memory writes = dangerous, even without "Dangerous" tools.

Workspace Isolation

When workspace: "./${USERNAME}" is set (the default), each user gets their own isolated subdirectory. The owner uses the root workspace. This prevents:

  • Users reading each other's files
  • Users poisoning the owner's memory
  • Cross-user contamination

Guidelines

Personal agent (only you): Defaults are fine. Be mindful of what you paste or forward — hostile content in a PDF or image can still inject instructions.

Shared with trusted people: Consider removing memory_write or writeFile if those users don't need them. Keep workspace isolation on.

Open to everyone: Strip down to minimal tools — send_message, thinking, maybe recall. No file writes, no memory writes, no web tools. Consider running in a container.

Agent that fetches web content: web_search and web_fetch ingest untrusted data. If the agent also has memory_write or writeFile, a malicious web page could inject instructions that persist. Consider separating into a "research agent" (reads web, reports to you) and an "action agent" (only takes your instructions).

The Lethal Combination

Avoid combining all three in one agent:

  1. Ingests untrusted data (web, files from strangers, forwarded content)
  2. Can take consequential actions (write files, send messages, run commands)
  3. Runs without human oversight

If you need all three capabilities, split them across separate agents with you reviewing in between.

For the full tool catalog and what each tool does, see configuration.