Coworker Agents security
Understand how an agent's blast radius is contained before you give it real credentials and real work.
A risky action has to make it past three independent layers, and failing any one stops it:
| Layer | What it stops |
|---|---|
| Sandbox | Network calls to domains outside the egress allowlist |
| Tool allowlist | Calls to any tool not explicitly in allowed_tools |
| Gateway rules and middleware | Tool calls that match your organization's block or flag rules |
Sandboxed execution
Each run executes on MintMCP's hosted runner in an isolated environment with restricted network egress — only GitHub, the model provider, package registries, and the domains you allowlist are reachable. The compute is ephemeral: nothing survives a run except what the agent commits to its repository.
The sandbox restricts egress and the filesystem; it is not an air-gapped environment. Treat the agent's tool allowlist and gateway rules as the primary controls on what it can affect.
Secrets
- Secret values are stored in MintMCP (encrypted at rest) and injected at run time;
agent.ymlonly holds references like{{secrets.MY_KEY}}. The configuration validator rejects hardcoded credentials before they reach git. MCP server credentials flow through the MintMCP gateway rather than through agent secrets. - Agent-scoped secrets are namespaced per agent, so one agent can't read another's credentials.
- Secret brokering goes further: the run only ever sees a placeholder, and MintMCP substitutes the real value into outbound requests to allowlisted domains — the raw secret is never visible to the model, the sandbox, or the agent's own code.
Identity and audit
Every vMCP-connected tool call carries the agent's own identity through the gateway, so agent traffic is distinguishable from human traffic in your audit log and can have its own rules. Three audit surfaces cover different questions:
| Surface | Answers |
|---|---|
| Gateway audit log | Which tools did the agent call, with what arguments, when? |
| Agent Monitor | What did the agent do inside the session — every file read, command, and tool call — with rules that can block in real time |
| Run history and transcripts | What did the agent conclude and why? Full conversation per run, plus the agent's own activity-log.csv |
Tool calls to MCP servers declared directly in agent.yml (rather than through a vMCP) bypass the gateway audit log, though Agent Monitor still captures them in the session. Prefer vMCP connections when audit coverage matters.
Slack surface
The agent's Slack app uses a minimal scope set, MintMCP verifies Slack's request signatures before dispatching runs, and messages from other bots are ignored unless explicitly allowlisted — see Connect a Coworker Agent to Slack.
Next steps
- Configure a Coworker Agent — tighten
allowed_tools, sandbox domains, and secret brokering - Agent Monitor overview — session-level visibility and rules