If you discover a security vulnerability in Agent Fleet, please report it responsibly:
- Do NOT open a public GitHub issue
- Email: security@studiomeyer.io
- Include: description, steps to reproduce, potential impact
We will respond within 48 hours and work on a fix.
Agent Fleet spawns Claude CLI subprocesses. Security considerations:
- Process isolation: Each agent runs as a separate subprocess
- File system access: Agents can read/write files via Claude Code tools. Use
--dry-runfor CTO/Repair agents when uncertain. - MCP servers: All MCP servers run via
npxand have their own security models - Database: Optional PostgreSQL connection uses parameterized queries (no SQL injection)
- Environment variables: API keys and DATABASE_URL are read from environment, never hardcoded
- Never run agents on untrusted codebases without
--dry-runfirst - Review Discovery/Repair reports before applying fixes
- Use environment variables for all secrets
- Keep Claude Code CLI updated