Agent Desk stores messages, runtime metadata, and pairing state as local files. It is designed for local development and trusted automation workflows.

Do not put secrets, production credentials, private customer data, or live vulnerability payloads in message bodies unless the storage directory is protected appropriately.

Command automation is disabled by default. Legacy agent-postbox watch routes only run local commands when --allow-command is passed, because command routes can execute arbitrary code.

Recommended safe usage:

• Keep the Agent Desk data directory inside a private workspace or user profile.
• Do not expose the server directly to the public internet.
• Use LAN mode only on a trusted network or behind private network tooling.
• Use synthetic fixtures for public demos.
• Treat route files as code.
• Prefer append_file and print actions until a workflow is trusted.
• Review webhook destinations before enabling http_post.