Skip to main content

Coworker Agents security

Understand how an agent's blast radius is contained before you give it real credentials and real work.

A risky action has to make it past three independent layers, and failing any one stops it:

LayerWhat it stops
SandboxNetwork calls to domains outside the egress allowlist
Tool allowlistCalls to any tool not explicitly in allowed_tools
Gateway rules and middlewareTool calls that match your organization's block or flag rules

Sandboxed execution

Each run executes on MintMCP's hosted runner in an isolated environment with restricted network egress — only GitHub, the model provider, package registries, and the domains you allowlist are reachable. The compute is ephemeral: nothing survives a run except what the agent commits to its repository.

The sandbox restricts egress and the filesystem; it is not an air-gapped environment. Treat the agent's tool allowlist and gateway rules as the primary controls on what it can affect.

Secrets

  • Secret values are stored in MintMCP (encrypted at rest) and injected at run time; agent.yml only holds references like {{secrets.MY_KEY}}. The configuration validator rejects hardcoded credentials before they reach git. MCP server credentials flow through the MintMCP gateway rather than through agent secrets.
  • Agent-scoped secrets are namespaced per agent, so one agent can't read another's credentials.
  • Secret brokering goes further: the run only ever sees a placeholder, and MintMCP substitutes the real value into outbound requests to allowlisted domains — the raw secret is never visible to the model, the sandbox, or the agent's own code.

Identity and audit

Every vMCP-connected tool call carries the agent's own identity through the gateway, so agent traffic is distinguishable from human traffic in your audit log and can have its own rules. Three audit surfaces cover different questions:

SurfaceAnswers
Gateway audit logWhich tools did the agent call, with what arguments, when?
Agent MonitorWhat did the agent do inside the session — every file read, command, and tool call — with rules that can block in real time
Run history and transcriptsWhat did the agent conclude and why? Full conversation per run, plus the agent's own activity-log.csv

Tool calls to MCP servers declared directly in agent.yml (rather than through a vMCP) bypass the gateway audit log, though Agent Monitor still captures them in the session. Prefer vMCP connections when audit coverage matters.

Slack surface

The agent's Slack app uses a minimal scope set, MintMCP verifies Slack's request signatures before dispatching runs, and messages from other bots are ignored unless explicitly allowlisted — see Connect a Coworker Agent to Slack.

Next steps