Security & Trust
Agentbot is committed to keeping your data safe. Here’s our security posture.Security Overview
| Category | Status | Notes |
|---|---|---|
| Data Encryption | ✅ | TLS 1.3 in transit |
| API Authorization | ✅ | Session-based auth |
| Bot Detection | ✅ | Automated request filtering on sensitive endpoints |
| Input Validation | ✅ | Allowlist + sanitization |
| Rate Limiting | ✅ | Per-IP limits |
| Audit Logging | ✅ | All actions logged |
Skill Security Matrix
| Skill | Input Validation | Sanitization | User Data | External Calls |
|---|---|---|---|---|
| Visual Synthesizer | ✅ | ✅ | ❌ | ✅ (Replicate) |
| Track Archaeologist | ✅ | ✅ | ❌ | ❌ |
| Setlist Oracle | ✅ | ✅ | ❌ | ❌ |
| Groupie Manager | ✅ | ✅ | ✅ (demo) | ❌ |
| Royalty Tracker | ✅ | ✅ | ❌ | ❌ |
| Demo Submitter | ✅ | ✅ | ✅ (demo) | ❌ |
| Event Ticketing | ✅ | ✅ | ✅ (email) | ❌ |
| Event Scheduler | ✅ | ✅ | ❌ | ❌ |
| Venue Finder | ✅ | ✅ | ❌ | ❌ |
| Festival Finder | ✅ | ✅ | ❌ | ❌ |
Bot detection
Sensitive API endpoints are protected by bot detection to prevent automated abuse. Protected endpoints return a403 status code when a request is identified as coming from an automated source.
Protected endpoints:
| Endpoint | Purpose |
|---|---|
/api/register | Prevents fake account creation |
/api/auth/forgot-password | Blocks automated password reset abuse |
403 response, ensure your requests originate from an environment that supports browser-level verification.
Trust Principles
1. Minimal Data Collection
- We don’t store prompts or generated images permanently
- Demo skills use in-memory data that resets on restart
- No user data sent to third parties (except Replicate for image generation)
2. Input Sanitization
All user inputs are:- Length-limited (max 100-500 chars depending on field)
- Type-checked (strings, arrays, numbers)
- Allowlist-validated (enum values must match predefined lists)
- HTML/JS stripped (
<>characters removed)
3. API Key Security
- Replicate API tokens stored in server-side environment variables
- Never exposed to client-side code
- Used only for image generation requests
4. Read-Only Skills
Track Archaeologist, Setlist Oracle, Royalty Tracker, Venue Finder, Festival Finder, and Event Scheduler are read-only:- No user data stored
- No external API calls
- Uses only in-memory mock catalog
- Safe for public demo use
Known Limitations
Demo Mode
Currently skills run in demo mode without authentication. In production:- User sessions will be required
- Each user’s data will be isolated
- API rate limits will be per-user
In-Memory Storage
Groupie Manager uses in-memory Map storage. Data is:- Lost on server restart
- Not shared between server instances
- Only for demonstration purposes