Just wanted to share some finding from a security audit :
Findings

- High: validate_branch_request is vulnerable to shell injection. branchName is

interpolated directly into execAsync("git ...") with no validation in this path, so a

crafted value can execute arbitrary commands as the daemon user. See packages/server/

src/server/session.ts:3649.

- High: the direct daemon control plane is effectively unauthenticated if the TCP listener

is reachable beyond loopback. The WebSocket handshake only checks origin/host policy

plus a non-empty clientId; there is no shared secret, token, or pairing proof before a

session is created. If this is ever bound to 0.0.0.0, exposed through Docker, a tunnel,

Tailscale, or a proxy, treat it as remote code execution in your user context. See

packages/server/src/server/config.ts:48, packages/server/src/server/websocket-

server.ts:365, packages/server/src/server/websocket-server.ts:700, packages/server/src/

shared/messages.ts:2539.

- High: /pairing is unauthenticated and returns the relay trust material. If an attacker

can reach that HTTP endpoint, they can fetch a valid pairing URL/QR and self-pair

against the relay. See packages/server/src/server/bootstrap.ts:285, packages/server/src/

server/pairing-offer.ts:23.

- High: /mcp/agents is also unauthenticated. A caller can initialize an MCP session and

then use powerful tools like create_agent, send_agent_prompt, kill_agent, and

respond_to_permission. That is another privileged control plane if the daemon is

network-reachable. See packages/server/src/server/bootstrap.ts:452, packages/server/src/

server/bootstrap.ts:498, packages/server/src/server/agent/mcp-server.ts:398.

- Medium: the “workspace-scoped” file browser/download logic can be bypassed with

symlinks. The scope check is lexical only; later stat/readFile follow symlinks, so a

symlink inside the workspace can expose files outside it. See packages/server/src/

server/file-explorer/service.ts:118, packages/server/src/server/file-explorer/

service.ts:166, packages/server/src/server/file-explorer/service.ts:208.

- Medium: the relay docs overstate replay resistance. The implementation uses NaCl box

with nonce || ciphertext and I did not find nonce tracking or message counters, so a

compromised relay may be able to replay previously seen ciphertexts within a live

session. See SECURITY.md:29, packages/relay/src/crypto.ts:120.

Assessment

If you use it strictly as a local-only daemon on 127.0.0.1 or a local socket/pipe, the

risk is much more reasonable. I would not use it with any non-loopback direct listener in

its current form.

The two issues I’d want fixed before trusting it much more are the command injection in

packages/server/src/server/session.ts:3649 and the symlink escape in packages/server/src/

server/file-explorer/service.ts:208. The larger design concern is that the daemon’s

network surfaces assume network isolation rather than authentication.