Security

agenticEvolve enforces security at every layer — from code scanning to runtime permission control.

Security Scanner

All pipelines (/absorb, /learn, /evolve) run an automated security scan on external repos before processing.

Threat	Examples
Credential exfiltration	Reading `~/.ssh`, `~/.aws`, macOS Keychain dumps
Reverse shells	Bash/netcat/Python reverse shells
Remote code execution	`curl \| bash`, download-and-execute patterns
Obfuscated payloads	Base64-encoded shell commands, hex payloads
Malicious install hooks	npm `postinstall`, Python `setup.py` cmdclass
Destructive commands	`rm -rf /`, fork bombs, disk wipes
Crypto miners	xmrig, stratum connections
macOS persistence	LaunchAgents, login items, TCC resets

Use --skip-security-scan to bypass when you trust the source.

Three levels control what tools Claude Code can use, inspired by ZeroClaw. Configure via autonomy in config.yaml or toggle live with /autonomy.

Level	Tools	Risk Awareness	Use Case
`full`	Unrestricted (`--dangerously-skip-permissions`)	None	Default — trusted local use
`supervised`	Restricted whitelist (read + safe writes + safe bash)	Risk-tier prompting (low/medium/high)	Shared environments, demo mode
`readonly`	Read-only (Read, Glob, Grep, WebFetch, Task)	N/A	Research-only, audit mode

All configured in config.yaml, all hot-reload on next message:

Setting	Purpose
`forbidden_paths`	Directories the agent must never access (e.g., `~/.ssh`, `~/.aws`)
`security.filesystem_scoping`	Allowed directory prefixes (empty = allow all)
`security.block_symlink_escape`	Prevents symlinks from escaping filesystem scope
`security.deny_by_default`	When `true`, empty `allowed_users` list = deny all users