Lynkr

The server implements robust security measures, including: 1. Explicit blocklists for dangerous shell commands and Python code patterns (e.g., `rm -rf /`, fork bombs). 2. Redaction of sensitive content (private keys, potential secrets) from LLM outputs. 3. Granular policy controls for file access (`allowedPaths`, `blockedPaths`) and Git operations (`allowPush`, `allowCommit`). 4. Mandatory use of environment variables for API keys and sensitive configurations, preventing hardcoding. 5. Advanced sandboxing for `shell` and `python_exec` tools, leveraging Docker/container runtimes with configurable resource limits, network isolation, user/entrypoint control, and capability drops. This significantly mitigates risks associated with arbitrary code execution. The primary risk lies in misconfiguring the Docker sandbox image or disabling sandboxing, which would expose the host system.