Security Built Into Every Layer
Snippbot wraps every agent action in a 9-layer security envelope — from AES-256-GCM encryption at rest to real-time prompt injection detection. Your data stays on your hardware. Your agents operate under strict permission tiers. Every action is auditable.
Security layers
Encryption standard
PBKDF2 iterations
Injection patterns blocked
Zero-trust by default
Unlike cloud-based AI platforms that route your data through third-party servers, Snippbot runs entirely on your machine. No telemetry, no analytics, no phone-home. Your conversations, memories, files, and agent activity never leave your hardware. Every component — from encryption to sandboxing — is designed with the assumption that no layer is safe alone, so every layer must defend itself.
The 9-Layer Security Envelope
Each layer operates independently. A breach at any single layer is contained by the others.
Encryption at Rest
All secrets — API keys, OAuth tokens, credentials — are encrypted with AES-256-GCM using 96-bit nonces and 128-bit authentication tags. Keys are derived via PBKDF2-HMAC-SHA256 with 600,000 iterations, exceeding NIST SP 800-132 recommendations. Your master key is stored in the OS keychain (macOS Keychain, Linux Secret Service, or Windows Credential Manager) — never in plaintext files.
Multi-Factor Authentication
Snippbot supports multiple authentication methods depending on context. Agents authenticate with Ed25519 cryptographic signatures with 5-minute timestamp freshness to prevent replay attacks. Admin sessions use bcrypt (cost factor 12) with 32-byte random session tokens, HttpOnly cookies, and SameSite=Strict. Device pairing uses QR codes with biometric verification. All API keys are SHA-256 hashed before storage.
5-Tier Permission Model
Every agent operates within a strict permission tier that controls filesystem access, network reach, and process execution. Agents start in a sandbox and can only escalate one tier at a time — with your explicit approval. High-risk tasks are automatically capped at restricted tiers. Every permission check is logged to an audit trail.
| Tier | Filesystem | Network | Process |
|---|---|---|---|
| 0 — Sandbox | Read workspace only | None | None |
| 1 — Restricted | Read workspace | Allowlist only | None |
| 2 — Standard | Read/write workspace | Full internet | Allowlisted commands |
| 3 — Elevated | Read/write home | Internal network | Daemon processes |
| 4 — Unrestricted | Full filesystem | Full network | Any process |
Container & OS-Level Sandboxing
Agent tool execution runs inside isolated containers — Docker or Podman — with enforced resource limits on memory, CPU, and duration. MCP servers are additionally wrapped in OS-level sandboxes: macOS Seatbelt or Linux bwrap/firejail. Mount paths are validated against blocked sources. The system fails closed — if no sandbox is available, execution is denied rather than running unsafely.
Command Validation & Environment Filtering
Every subprocess command passes through a multi-stage validation pipeline. Hardcoded blocklists prevent privilege escalation (sudo, su, chmod), system destruction (mkfs, fdisk, reboot), and persistence (crontab, systemctl). 8 evasion-detection regex patterns catch shell injection via eval, backticks, $(), and fork bombs. The subprocess environment is constructed from a whitelist — secrets, library hijacking variables (LD_PRELOAD, DYLD_INSERT_LIBRARIES), and cloud credentials are stripped automatically.
Prompt Injection Defense
External content — MCP tool outputs, email bodies, scraped web pages, marketplace packages — is scanned against 40+ detection patterns across 5 attack categories: instruction override, role spoofing, obfuscation, XML/JSON injection, and data extraction. Critical-severity injections are blocked and replaced with warnings. High and medium severity patterns are sanitized with proper escaping. All detections are rate-limited and logged.
Network Hardening & SSRF Prevention
All outbound requests pass through egress domain allowlists — agents can only reach pre-approved domains. SSRF protection blocks private IP ranges (RFC 1918), cloud metadata endpoints (169.254.169.254), and IPv6 private ranges, with DNS rebinding prevention that resolves hostnames and validates all returned IPs. Rate limiting uses a sliding window algorithm with tier-based limits (60/min default, 5/min for security endpoints) and proper Retry-After headers.
Supply Chain & Marketplace Security
Every marketplace package passes through a multi-layer audit scanner before installation. Manifest fields are validated, source code is scanned for dangerous patterns (eval, exec, os.system, pickle.loads), executable file types are blocked (.exe, .dll, .bat, .ps1), and npm lifecycle scripts are inspected for supply chain attacks. Custom skills undergo static analysis with capability manifests — runtime access beyond declared capabilities is denied.
Audit Trail & Error Sanitization
Every permission check, escalation request, and security event is logged to a SQLite-backed audit trail with timestamps, entity tracking, and action types. Error responses are automatically sanitized — tracebacks, file paths, database table names, and internal details are stripped from all 5xx responses, preventing information disclosure to attackers. Full error details remain available internally at debug level.
Agent Isolation & Data Boundaries
Every agent session is isolated. No cross-contamination, no shared state leaks.
Session Isolation
Each sub-agent gets an independent task executor, separate message history, and isolated token budgets. Tool registries are filtered per-agent with allowlist/denylist controls. Security-sensitive tools are denied by default.
Webhook Verification
Inbound webhooks are verified with HMAC-SHA256 constant-time comparison. Slack-specific replay protection validates timestamps within a 5-minute window. Delivery deduplication prevents replay attacks with a 10,000-entry FIFO cache. IP allowlisting with CIDR validation adds another layer.
OAuth Token Safety
OAuth tokens are managed with automatic refresh before expiry with a 60-second buffer. Concurrent request safety prevents token race conditions. Scope management ensures tokens are isolated per-resource-server with no scope bloat. All tokens are encrypted at rest in the secret store.
Input Validation & Data Protection
Every input is validated, every output is sanitized, every boundary is enforced.
SQL Injection Prevention
All database queries use parameterized bind variables — no string concatenation, no template interpolation. This eliminates SQL injection across every endpoint.
Path Traversal Protection
Filesystem paths are normalized via posixpath.normpath(), checked for ".." sequences, and validated with os.path.commonpath() boundary enforcement. No escape from designated directories.
Content Size Limits
Request bodies capped at 10 MB with double-checking (header + streamed body) to prevent chunked transfer bypass. Headers limited to 8 KB, URLs to 2,048 characters, and JSON nesting to 10 levels.
MCP Command Validation
MCP server commands are validated against an allowlist (node, python, docker, etc.) with shell metacharacter blocking. HTTP/SSE transports pass through SSRF validation before connecting.
Your data never touches our servers
Cloud AI platforms route your data through third-party infrastructure, creating exposure at every hop. Snippbot eliminates that attack surface entirely — everything runs on your hardware, encrypted with your keys, under your control.
- Zero data exfiltration risk — no cloud hop, no third-party storage
- No telemetry or analytics — zero phone-home, zero tracking
- Full audit control — every agent action logged locally, visible only to you
Run agents you can trust
Enterprise-grade security with zero configuration. Install Snippbot and every layer is active from the first run — encryption, sandboxing, permissions, and audit logging all enabled by default.