getcompanion-ai/co-mono
1
0
Fork 0
mirror of https://github.com/getcompanion-ai/co-mono.git synced 2026-04-15 19:05:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

docs: add Security (YOLO Mode) section to README

Browse source 
- Document unrestricted filesystem and command access
- Explain no permission checks or safety rails
- Warn about prompt injection risks
- Provide mitigation suggestions
- Clear about design philosophy and use at own risk
This commit is contained in:
Mario Zechner 2025-11-12 22:53:42 +01:00
parent efb0a635b5
commit b172beb925
2 changed files with 34 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

30
packages/coding-agent/README.md
View file

@ -2,8 +2,6 @@
Interactive CLI coding assistant powered by multiple LLM providers. Chat with AI models that can read files, execute commands, and make precise edits to your codebase.
**Note**: This tool can modify your filesystem. Use with caution in production environments.
## Installation
```bash
@ -322,6 +320,34 @@ Edit a file by replacing exact text. The oldText must match exactly (including w
Execute a bash command in the current working directory. Returns stdout and stderr. Commands run with a 30 second timeout.
## Security (YOLO by default)
This agent runs in full YOLO mode and assumes you know what you're doing. It has unrestricted access to your filesystem and can execute any command without permission checks or safety rails.
**What this means:**
- No permission prompts for file operations or commands
- No pre-checking of bash commands for malicious content
- Full filesystem access - can read, write, or delete anything
- Can execute any command with your user privileges
**Why:**
- Permission systems add massive friction while being easily circumvented
- Pre-checking tools for "dangerous" patterns introduces latency and false positives
- Fast iteration requires trust, not sandboxing
**Prompt injection risks:**
- By default, pi has no web search or fetch tool
- However, it can use `curl` or read files from disk
- Both provide ample surface area for prompt injection attacks
- Malicious content in files or command outputs can influence behavior
**Mitigations:**
- Run pi inside a container if you're uncomfortable with full access
- Use a different tool if you need guardrails
- Don't use pi on systems with sensitive data you can't afford to lose
This is how I want it to work. Use at your own risk.
## License
MIT