If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue
2. Email: security@schoensgibl.com
3. Include: description, reproduction steps, and potential impact
4. Allow up to 72 hours for initial response

Every tool has a configurable permission level (allow, ask, deny). Destructive tools default to ask, requiring explicit user confirmation. Configure in .nex/config.json.

Two-tier command filtering protects against dangerous operations:

• Forbidden (blocked, no override): rm -rf /, fork bombs, curl|sh, credential access, reverse shells, code injection — 30+ patterns
• Dangerous (requires confirmation): git push, npm publish, sudo, wget, pip install -g — 14 patterns

All tool implementations that execute external commands use execFileSync with argument arrays (not string interpolation) to prevent shell injection from LLM-generated arguments.

The web_fetch tool validates URLs against private/internal IP ranges before making requests. Blocked ranges include 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, localhost, and IPv6 private addresses. This prevents the LLM from accessing internal services or cloud metadata endpoints.

Sensitive files are created with restrictive permissions:

• .env files: 0600 (owner read/write only)
• Session files (.nex/sessions/): 0600 with directories at 0700
• Temporary files (screenshots, debug logs): 0600

Remote agent spawning uses StrictHostKeyChecking=accept-new (accepts on first connect, rejects key changes) and creates temporary task files with chmod 600. Path and model arguments are sanitized with allowlist character sets.

MCP server subprocesses receive only a safe allowlist of environment variables (PATH, HOME, USER, SHELL, LANG, TERM, NODE_ENV). API keys and secrets from process.env are never leaked to MCP servers.

Tool results (e.g., read_file, bash) are automatically scanned for common secret patterns before being inserted into the conversation context. Matches against well-known prefixes (API_KEY, TOKEN, SECRET, PASSWORD, CREDENTIAL — 14 provider prefixes including AWS, GCP, GitHub, Stripe, etc.) are redacted as VARNAME=***REDACTED***. This prevents secrets accidentally read from files from persisting in LLM context across turns.

npm audit --audit-level=high runs in CI on every push and pull request. High and critical CVEs in transitive dependencies block the build.

• LLM-generated commands: The bash tool executes shell commands suggested by the LLM. While safety patterns block many dangerous commands, the pattern list is not exhaustive. Always review commands before confirming execution.
• File access: The LLM can read and write files within the working directory. The permission system can restrict this, but defaults allow read access.
• Network access: web_fetch and web_search tools can make HTTP requests to public endpoints. Private/internal IPs are blocked, but DNS rebinding attacks are not covered. These tools can be disabled via the permission system.

• Run nex-code in a sandboxed environment (Docker, VM) for untrusted codebases
• Review .nex/config.json permissions before use
• Keep bash, write_file, and edit_file on ask mode (default)
• Do not store API keys in project directories — use environment variables