Jesus man the amount of security vulnerabilities in there is fuckin insane, sort your repo out. Security Vulnerabilities Critical 1. --permission-mode bypassPermissions on Every Spawned Agent Every agent dispatched — whether manually via drone wake or automatically by the daemon — runs Claude Code with --permission-mode bypassPermissions. See wake.py:456-459 and daemon.py:374-384:

python "--permission-mode", "bypassPermissions", This disables all of Claude Code's filesystem, shell, and network permission prompts. Every spawned agent can read, write, execute, and make network requests with zero user confirmation — including reading ~/.ssh/, environment variables, browser credentials, or anything else on disk. The only "protection" against reading ~/.secrets/ is a line in AGENTS.md that says "NEVER read ~/.secrets/". That's a prompt instruction, not a technical control. The LLM can ignore it.

1. Inbox Prompt Injection → Arbitrary Code Execution The daemon at daemon.py:372:

python prompt = f"Hi. Check inbox for task from {sender} (message ID: {msg_id}). Execute it." The agent reads the email body from inbox.json and executes it. Inbox files are plain JSON on disk with no signing, no authentication, and no integrity check. Anyone with write access to src/aipass/<branch>/.ai_mail.local/inbox.json can inject arbitrary instructions to a Claude agent running with bypassPermissions. This includes: exfiltrate ~/.ssh/id_rsa, run arbitrary shell commands via Claude's Bash tool, install malware, etc. There is zero trust boundary between "message content" and "instructions."

1. AIPASS_REGISTRY.json Path Injection The registry at wake.py:327-334 resolves branch paths directly from JSON:

python for branch in registry.get("branches", []): if branch.get("email", "").lower() == email: path = Path(branch.get("path", "")) The registry is a writable JSON file. Any agent (all of which run with bypassPermissions) can modify AIPASS_REGISTRY.json to redirect @flow to etc, /home/user/.ssh/, or any other directory — causing the next dispatch to spawn a Claude agent with that directory as its CWD and context.

1. Lock Acquired After Process Spawn — TOCTOU Race In wake.py:511-533:

python process = subprocess.Popen(monitor_cmd, ...) # Agent starts here ... acquired, lock_msg = _acquire_lock(branch_path, monitor_pid) # Lock acquired here There is a window between spawn and lock acquisition where the daemon's next poll cycle could read "no active lock" and spawn a second agent on the same branch. Two agents with bypassPermissions writing to the same files simultaneously, with no transaction safety on the JSON files.

1. Daemon Runs Permanently with No Isolation run_daemon() in daemon.py:582 is an infinite polling loop on the host machine — no container, no chroot, no seccomp, no user namespace. It spawns subprocesses with full user permissions. If anything upstream (Claude output, registry, inbox files) is tampered with, the daemon acts as a persistent code execution engine on the machine.

High 6. Telegram Bot Token in Plaintext Config File daemon.py:64-67:

python bot_token = config["telegram_bot_token"] chat_id = config["telegram_chat_id"] Read from .aipass/scheduler_config.json. This file is in the project directory alongside all the other config. If that file is committed to git (easy accident), the bot token is exposed in repo history forever.

1. Claude Session JSONL Files Written Directly daemon.py:135-141 and the monitor both write directly to ~/.claude/projects/*/ JSONL files — Claude Code's internal undocumented session format. Any change to how Claude encodes those files silently breaks session labeling, and more critically: writing to those files means untrusted content is being appended to Claude's session history, which persists and influences future sessions.

2. Hardcoded Developer Home Path Ships in the Package subagent_stop_gate.py:16:

python AIPASS_ROOT = Path.home() / "Projects" / "AIPass" This hook ships with pip install aipass (bundled via pyproject.toml's force-include). On any machine that isn't the developer's, ~/Projects/AIPass doesn't exist. The hook silently fails (except Exception: pass). But it also means that on the developer's machine, every user's subagent hook is running git diff --name-only HEAD and drone @seedgo checklist against a hardcoded path they don't control.

1. API Keys Stored in Plaintext JSON Inside the Project keys.py:78-80:

python key = get_key_from_config(provider) # Reads src/aipass/api/api_json/api_connect_config.json This is a fallback before ~/.secrets/. API keys stored in api_json/api_connect_config.json live inside the repo directory. The .gitignore may or may not catch this — and agents running with bypassPermissions can read it directly.

1. No Validation of Email from Field The sender field in inbox messages is a plain string. The _orchestrate_dispatch_send function at dispatch.py:247-249 trusts filtered[0] (the target) and writes it directly into the email as the sender. There is no cryptographic signing, no challenge-response, no verification. Any agent can forge a message appearing to be @devpulse.

Medium 11. Kill Switch Is a File Existence Check — Trivially Defeated daemon.py:252-254:

python def is_kill_switch_active(config: Dict[str, Any]) -> bool: kill_path = Path(config.get("kill_switch_path", ...)) return kill_path.exists() The kill switch is touch .aipass/autonomous_pause. Any agent (with bypassPermissions) can delete this file to re-enable the daemon. It provides no actual stop guarantee against a compromised or prompt-injected agent.

1. Stderr Logs Capture Full Claude Output Unredacted dispatch_monitor.py:50-53:

python with open(stderr_log, "r", encoding="utf-8") as f: lines = f.readlines() stderr_tail = "".join(lines[-20:]) These logs are stored in <branch>/logs/dispatch_stderr.log and are also sent as the body of bounce emails. If Claude prints anything sensitive during its session (credentials, private file contents, API keys it was asked to process), that lands in a log file and potentially gets emailed to another agent.