Skip to content

Security: ManusAgents/ManusGPT

Security

SECURITY.md

πŸ”’ Security Policy

Reporting Security Vulnerabilities

We take the security of ManusGPT seriously. Given that ManusGPT operates with real OS-level access (shell execution, file system manipulation, mouse/keyboard control), security vulnerabilities can have significant real-world impact.

How to Report

Preferred Method: Use GitHub Security Advisories to submit a private vulnerability report. This ensures only maintainers can see the report while it's being investigated.

Alternative Method: Open a GitHub Issue with the [SECURITY] tag in the title. Example:

[SECURITY] Permission gate bypass allows unauthorized file deletion

What to Include

Please include the following in your report:

  • Description of the vulnerability and its potential impact
  • Steps to reproduce the issue (as detailed as possible)
  • Affected versions of ManusGPT
  • Proof of concept (code, screenshots, or screen recordings)
  • Suggested fix (if you have one β€” optional but appreciated)
  • Environment details (OS, Node.js version, Electron version, LLM provider)

What We Commit To

  1. Acknowledgment β€” We will acknowledge your report within 48 hours.
  2. Assessment β€” We will evaluate the vulnerability and determine its severity.
  3. Resolution β€” We will develop and release a fix as soon as possible.
  4. Credit β€” With your permission, we will credit you in the security advisory and release notes.
  5. Coordination β€” We will work with you to coordinate a responsible disclosure timeline.

What We Ask of You

  1. Do NOT publicly disclose the vulnerability before a fix has been released.
  2. Do NOT exploit the vulnerability for any purpose other than demonstrating it for the report.
  3. Allow reasonable time for us to develop and deploy a fix (typically 90 days for critical, 30 days for high/medium).
  4. Destroy any proof-of-concept materials after the issue is resolved.

Supported Versions

Version Supported Security Updates
v2.0.x (latest) βœ… Yes Active
v1.x.x ❌ No End of life
Pre-release (main branch) ⚠️ Best effort Monitoring

Security fixes are applied to the latest release branch. Older versions receive security updates only for critical vulnerabilities.

Security Model Overview

ManusGPT operates in a unique security context β€” it is an autonomous agent with genuine OS-level capabilities. Our security model is designed around defense in depth:

Layer 1: Permission Gate

User Request
    β”‚
    β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   PERMISSION GATE        β”‚
β”‚                         β”‚
β”‚   ALLOW  β€” Auto-execute β”‚
β”‚   ASK    β€” Prompt user  β”‚
β”‚   DENY   β€” Block action β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
    β”‚
    β–Ό
Tool Execution

Every tool invocation passes through the 3-tier permission system. Users can configure per-tool, per-action, and per-context rules. Sensitive operations (file deletion, system commands, God Mode) default to ASK or DENY.

Layer 2: Catastrophic Mode Rejection

A dedicated filter detects and blocks obviously destructive commands before they reach the permission gate. This includes:

  • Recursive deletions (rm -rf /)
  • Disk formatting commands
  • Kernel-level modifications
  • Credential dumping
  • Network exfiltration patterns

This layer operates before user confirmation β€” even if a user accidentally allows a dangerous command, it will be intercepted.

Layer 3: Identity Guard

The Identity Guard protects the agent's core reasoning from adversarial manipulation:

  • 30+ injection patterns detected (prompt injection, jailbreak attempts, role confusion)
  • Output sanitization to prevent the agent from echoing malicious instructions
  • Context boundary enforcement to prevent data leakage between sessions
  • Tool output validation to detect and sanitize adversarial payloads returned by tools

Architecture Boundaries

Boundary Enforcement
Main ↔ Renderer Electron's contextIsolation + sandbox enabled. IPC bridge only exposes approved channels.
Agent ↔ OS All OS interactions route through the Permission Gate. No direct system access from the renderer process.
LLM ↔ Agent LLM outputs are parsed through a schema validator. Malformed or unexpected tool calls are rejected.
Sessions Each session has isolated memory and context. Cross-session search is explicit and user-controlled.

Known Limitations

  • LLM outputs are probabilistic β€” cleverly crafted prompts may bypass injection detection. This is an inherent limitation of current AI technology.
  • God Mode is inherently dangerous β€” real mouse/keyboard control means the agent can interact with anything on screen. The Permission Gate is the primary defense.
  • Browser automation can access authenticated sessions β€” if the user is logged into websites, the agent's browser tool can interact with them. Users should be aware of this when granting browser permissions.
  • Local LLMs have no content filter β€” models running via Ollama, LM Studio, or node-llama-cpp do not have the safety filters present in cloud-hosted models.

Security-Related Configuration

We recommend the following configuration for maximum security:

{
  "permissions": {
    "bash": "ASK",
    "python": "ASK",
    "editor": "ASK",
    "browser": "ALLOW",
    "system_control": "DENY",
    "god_mode": "DENY"
  },
  "identityGuard": {
    "enabled": true,
    "strictMode": true
  },
  "catastrophicRejection": {
    "enabled": true
  }
}

Thank You

Security is a shared responsibility. We are grateful to researchers and users who help keep ManusGPT safe. If you have questions about our security practices, please don't hesitate to reach out.

ManusGPT Security Team
ManusAgents

There aren't any published security advisories