carmenta

The system employs robust AES-256-GCM encryption for API keys and OAuth tokens stored in the database, and uses SVIX for webhook signature verification. However, it exposes high-privilege features: 1. **Code Mode**: Allows execution of arbitrary bash commands (`lib/code/bash-executor.ts`) within user-selected project paths. While `DANGEROUS_DIRS` are defined and environment variables are sanitized, this feature inherently carries a high risk if not rigorously sandboxed and permissioned for specific, trusted users/environments. 2. **MCP Servers**: AI agents can configure and interact with custom Microservice Control Plane (MCP) servers, allowing dynamic integration of external APIs via `createMcpServer` and `raw_api` calls. This significantly expands the attack surface, as a malicious or compromised MCP server could execute arbitrary operations. 3. **Raw API Access**: Many service adapters (e.g., LinkedIn, CoinMarketCap, Gmail, Spotify) expose a `raw_api` operation, enabling AI agents to make direct, arbitrary calls to external service APIs. This bypasses higher-level abstractions and requires careful control of the agent's intent and context. Rigorous access control, environment isolation (e.g., running Code Mode in ephemeral, isolated containers), and comprehensive monitoring are critical.