IntelAgent is designed to be run locally, by a single user, on a machine and account that user trusts. It is an agentic assistant that, by design, can act on the host system: run shell commands, write and execute Python, install packages, fetch arbitrary URLs, read and write files, and — when the Computer Use skill is enabled — control the mouse, keyboard, and live desktop applications.

These are intended capabilities, not defects. Like a terminal or a scripting environment, they are powerful by nature and assume a trusted operator. IntelAgent is not designed or hardened for:

• multi-tenant or shared deployments,
• exposure to untrusted users or the public internet,
• running untrusted/automated workloads without supervision.

If you need any of those, treat IntelAgent as unsuitable as-is and add your own isolation (containers, restricted accounts, network controls) first.

1. Prompt injection → autonomous actions. The agent ingests untrusted external content (web pages, PDFs, RSS) and can then call high-power tools. Malicious content could attempt to steer it into running commands or exfiltrating data. There is currently no per-action confirmation for the shell (LOCAL_SEARCHER), code-execution/pip install (DATA_ANALYST), or file tools. Supervise autonomous runs, and be cautious when pointing the agent at untrusted sources.
2. No authentication. The Streamlit app and the local MCP servers assume a single local operator. Do not bind the server to a public address or share an instance.
3. Secrets exposure to the model. The ENV_MANAGER skill can read your .env, and any skill output is placed into the model's context. If you have enabled a remote model (OpenRouter), that context — potentially including secrets or file contents — is transmitted off-machine. Prefer the local model for sensitive material.
4. Computer Use. When enabled, the agent can move the mouse, type, and drive open applications. It is gated by a one-time confirmation that a vision model is loaded, but not per action. Use it deliberately.

• Run locally only. Keep the default localhost binding; never expose the Streamlit port publicly.
• Use a trusted machine/account. Consider a dedicated user account or a VM if you intend to run aggressive autonomous tasks.
• Keep secrets out of git. Your real keys belong in .env (and Google tokens in skills/*/token.json); both are excluded by .gitignore. Never git add -f them, and verify before pushing:

  git status --porcelain
  git ls-files | grep -iE "\.env$|token\.json|credential"   # should show only .env.example

• Rotate credentials if you ever suspect a key was exposed (committed, pasted into a remote model, or shared in logs).
• Prefer the local model (holo3-35b-a3b or any LM Studio model) when handling sensitive journalistic or research data.
• Review autonomous runs, especially before enabling LOCAL_SEARCHER, DATA_ANALYST, or COMPUTER_USE on tasks that involve untrusted input.

This is an actively developed project. Security fixes target the latest commit on the main branch. There is no long-term support for older revisions.

If you discover a security issue, please report it privately rather than opening a public issue:

• Open a GitHub Security Advisory on this repository (preferred), or
• Contact the maintainer directly via the contact details on the project's GitHub profile / linked website.

Please include a description, reproduction steps, and the potential impact. We aim to acknowledge reports within a reasonable timeframe and will coordinate disclosure once a fix is available.