Address outbound threats

[lee-b]

Sandboxing is helpful for "inbound" attacks from scripts/skills toward the host system, but does nothing for "outbound" attacks from the script/skill toward networks -- which includes both the internet, the intranet (including WANs), SDNs, the LAN, and even localhost (including other user accounts on localhost).

Primarily the way to address this is with vetted skills, but network lockdown, including lockdown per skill/agent, should also be used.

[teknium1]

That is partially what sandboxing does by isolating it from your .env and other sensitive code/internals of your system.

Do you propose any additional things that make sense? sending emails unintentionally? etc

[lee-b]

The threat model is a development artifact in its own right. That would help inform what the mitigations are. However, gut instinct would be put a whitelisting-rules-based proxy in front of all outgoing requests, log denial events, and pass these to the user as an opportunity to approve now/always. Then each request type can be explicitly approved, either one-time, or by creating an ongoing rule for it. Or one can turn that responsibility over to the user and (strongly) recommend an interactive firewall on the machine, or "hardware" firewall which operates this way -- an OPNSense box, for example, or the firewall in Proxmox, per VM that's running the agent perhaps.

[teknium1]

This issue is now a component of #410 (Secure Secrets Management Tool), which provides the umbrella plan for end-to-end secret lifecycle management. #410 Phase 2 introduces tiered environment scoping (secrets only injected into subprocesses when explicitly requested), and Phase 4 includes network-level coordination with this issue to restrict outbound access on a per-secret basis — preventing exfiltration even if a secret enters a subprocess environment.