Security

Last updated: July 13, 2026

This describes how Cmdop is built, what we can and cannot see, and — most importantly — what we do not protect you against.

We would rather you learn the limits here than discover them.


1. The shared responsibility

Cmdop secures the Cmdop service and gives you the controls to secure your own machines. You are responsible for which machines you connect, what you expose, and what you tell the agent to do.

We are responsible forYou are responsible for
AgentShipping signed binaries, the update channel, the integrity of the agent itselfEverything the agent does. It runs with your privileges, on your machine
Relay edge (*.cmdop.dev)Availability, correct passthrough, certificate issuance and rotationWhat you publish; the TLS configuration on your machine; who is allowed to connect
TunnelsAvailability, rate limits, responding to abuse reportsWhether the thing on that port should be public at all
FleetAuthenticating sessions, transporting them, logging connectionsHaving the right to administer every machine you connect. Keeping your enrollment secret secret
CredentialsStoring and revoking what we holdStoring your CLI token and API key; revoking them when someone leaves

2. Execution model

The agent is a local process. It runs as your user, with your permissions, on your machine.

That means: it can read every file you can read, run every command you can run, and reach every network you can reach. If you run it as root, it acts as root.

There is nothing between the model deciding on a command and your shell running it. No container. No virtual machine. No validation step that checks whether the command is safe, correct, or what you meant.

Treat the agent the way you would treat a shell session you have handed to someone else.


3. What we can and cannot see

This has two different answers, and conflating them would be dishonest.

Relay edge — *.cmdop.dev

Our relay edge performs blind L4 SNI passthrough. It reads just enough of the TLS handshake to know which machine to route to, and forwards the bytes.

TLS terminates on your machine, not on our infrastructure. We do not hold the private key for your machine’s certificate, and we cannot decrypt the session. This is a property of the architecture, not a policy we could quietly change.

What the edge can observe: the hostname being connected to, the source IP, byte counts, and timestamps.

Tunnels — cmdop tunnel

Different answer. Tunnel traffic is proxied through our infrastructure.

We can see it, and we may inspect, log, or block it — to keep the service running and to act on abuse reports. Do not use a tunnel for anything you would not want us technically able to read.


4. Credentials

Cmdop uses four separate secrets. They are separate on purpose — one leaking does not hand over the others.

SecretGrantsLives
Account password / GitHub sign-inThe website and your accountYour browser
Platform API keyPaid inferenceYour machine, in the system keyring
Relay CLI tokenYour agent’s session with the relayYour machine, in the system keyring
Enrollment passwordJoining a machine to your fleetWherever you put it
Connection PINAttaching to a specific machineThe machine it protects

The enrollment password deserves attention. It is a durable, reusable shared secret. Anyone who has it can add a machine to your fleet — and any machine in your fleet can run commands on the others. If it leaks, rotate it. We cannot detect that it has leaked.


5. What Cmdop does not protect against

There is no sandbox. Covered above, and repeated here because it is the single most important thing on this page.

Prompt injection. The agent acts on text it reads: web pages, files, command output, the response from another machine, a skill from the marketplace. Any of that text can contain instructions aimed at the agent rather than at you. We do not filter for this. If you have enabled automatic execution, a successful injection means commands you did not ask for, running with your permissions. Do not point the agent at untrusted content while it holds credentials you care about.

Skills are other people’s code. A skill from the marketplace is code that your agent runs on your machine. We do not security-audit skills. Read one before you run it, the same way you would read a shell script a stranger sent you.

A public domain puts your machine on the internet. When you give a machine a *.cmdop.dev address or open a tunnel, anything listening on it is reachable by everyone — not just by you. We do not firewall your machine and we do not audit what you have exposed.

We do not verify that you may access the machines you connect. Enrollment is a shared secret, not a proof of authority. We have no way to know whether a machine is yours.

Cmdop is not an anonymity service. We know your public IP, your hostnames, and which of your machines talked to which. Assume that law enforcement can find out that you use Cmdop.


6. Reducing your risk

  • Least privilege. Do not run the agent as root because it was easier.
  • Read before you approve. Especially anything that deletes, overwrites, or touches production.
  • Keep automatic execution off where the blast radius is real.
  • Back up. The agent can delete files. We cannot get them back.
  • Isolate. Run the agent in a VM or container when it will touch untrusted content.
  • Don’t paste secrets into prompts. They go to a model provider.
  • Rotate your enrollment password when someone leaves.

7. Reporting a vulnerability

Email [email protected]. We acknowledge every report.

We do not pay bounties. We would rather say so plainly than waste your time.

Safe harbor

When you conduct security research in accordance with this policy, we consider that research to be:

  • Authorized with respect to any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
  • Authorized with respect to any relevant anti-circumvention laws, and we will not bring a claim against you for circumventing technical controls;
  • Exempt from the restrictions in our Terms of Service and Acceptable Use Policy that would otherwise interfere with security research, and we waive those restrictions for that limited purpose; and
  • Lawful, helpful to the security of the internet, and conducted in good faith.

If a third party brings legal action against you and you have complied with this policy, we will make it known that your actions were conducted in compliance with it.

We ask that you give us reasonable time to fix an issue before disclosing it, and that you do not access, modify, or destroy data belonging to other people. If you are unsure whether something is in scope, ask us first.


8. Reporting abuse

If someone is using a Cmdop tunnel or relay domain for phishing, malware, or anything else prohibited by our terms, email [email protected]. We will confirm we received it.

What we can do differs by surface, and we will not pretend otherwise. On tunnels, traffic passes through our infrastructure, so we can inspect and block it. On *.cmdop.dev, the edge cannot read the traffic — there our options are metadata, revoking the domain, and suspending the account.

We may suspend a machine, a domain, or an account immediately when we believe it is being used for phishing, malware distribution, or anything else our Terms prohibit.


9. Compliance

We do not hold SOC 2, ISO 27001, HIPAA, PCI DSS, or FedRAMP. If your environment requires them, Cmdop does not currently meet that bar, and we would rather you know now.


10. Updates

Keep the agent current — we do not backport fixes to old versions. Security updates ship through the normal update channel.


Security: [email protected] · Abuse: [email protected]