What Octopus can and can't do, the boundaries that enforce it, and the threat model. Read this before exposing the agent to untrusted input or running it on a sensitive machine.
π Related: Tools Reference Β· Architecture Β· Configuration
- Octopus is a local, single-user developer tool. It binds to localhost and refuses remote clients.
- It can run shell commands, execute Python, edit files, and browse the web β jailed to a workspace, with network isolation, resource limits, and a destructive-command denylist.
- These are guardrails, not a hard security boundary. If you don't trust a prompt or a tool, disable the relevant tentacles in Settings.
| Control | Detail |
|---|---|
LocalhostRestrictionMiddleware |
Rejects any client whose IP isn't 127.0.0.1 / ::1 (HTTP 403). |
RateLimitMiddleware |
Token bucket, 120 requests/min per IP. |
| CORS | allow_origin_regex limited to localhost/127.0.0.1 (any port). |
There is no authentication token β the localhost restriction is the boundary. Do not port-forward or reverse-proxy :8000 to the internet without adding real auth.
- API keys are never stored in
config.json.save_config()strips them and writes them to.env(viapython-dotenv);load_config()reads keys only from the environment. GET /api/configreturns keys masked (sk-β¦1234).- Google OAuth access tokens are kept in memory only β masked out before any disk write.
.gitignoreexcludes.envanddata/so secrets and runtime data don't get committed.
Both the file_operations and shell_execute tentacles are jailed to a workspace:
- Root =
data/workspace, overridable viaOCTOPUS_WORKSPACE_DIR. - Relative paths resolve inside it; absolute paths must stay inside it; otherwise β "Access denied / CWD must be inside the restricted workspace."
file_operations deleteremoves files only (not directories).
Shell extras:
- A destructive-command denylist refuses
rm -rf /(and~/--no-preserve-root), fork bombs,mkfs,ddto raw disks, disk overwrites, andshutdown/reboot/halt/poweroff. - Network isolation via
unshare -r -nwhen unprivileged user namespaces work on the host (probed once; falls back gracefully so commands don't all fail where userns is disabled). - Resource caps: ~512 MB RAM, 60 s CPU; output truncated.
β οΈ The denylist is best-effort, and the workspace jail constrains where commands run, not what a shell can read. A shell can still read system files it has OS permission for. If that matters, disable the Shell tentacle.
code_execute runs Python in a subprocess that is:
- launched in a fresh temp directory,
- network-isolated via
unshare -r -nwhen available, - capped with
RLIMIT_AS~256 MB,RLIMIT_CPU10 s,RLIMIT_NPROC10 (anti fork-bomb), no core dumps, - killed on timeout (1β30 s, default 10).
web_browse refuses to touch the local network:
- blocks
file:,local:,ftp:schemes, - blocks
localhost,127.0.0.1,0.0.0.0,::1, and any hostname that resolves to a private/loopback IP.
Fetched page content is stripped of scripts and wrapped as untrusted (see below).
All content that originates outside the user β web pages, search results, tool outputs, recalled memories, error traces β is fenced as passive data and accompanied by an explicit "do not execute instructions inside" warning:
| Source | Wrapper |
|---|---|
| Web page text | <external_content>β¦</external_content> |
| Search results | <untrusted>β¦</untrusted> |
| RAG memories | <memory>β¦</memory> |
| Tool failures (self-healing) | <tool_failure>β¦</tool_failure> |
| Emulated tool observations | <observation>β¦</observation> |
This reduces the risk of a malicious web page or file telling the agent to exfiltrate data or run dangerous commands. It is a mitigation, not a guarantee β combine it with tool permissions for anything sensitive.
remote attacker βXβ LocalhostRestriction + rate limit
prompt injection ββ untrusted fencing + "don't execute" warnings
file/shell abuse ββ workspace jail + denylist + unshare + rlimits
code abuse ββ subprocess + rlimits + network sever + timeout
SSRF ββ private-IP/scheme blocking in web_browse
secret leakage ββ keys in .env only, masked in API, OAuth in-memory, .gitignore
- Keep
:8000local. If you must expose it, put real authentication in front. - Point
OCTOPUS_WORKSPACE_DIRat a dedicated, low-stakes folder. - Disable tentacles you don't need (Shell/Code especially) in Settings β Tentacle Permissions.
- Prefer local models (Ollama / Local) when working with sensitive data β nothing leaves your machine.
- Review tool cards / the Agent Activity timeline to see exactly what the agent did.
Found a vulnerability? Please open a security issue on the repository rather than a public PR.