中文 | English
| Version | Supported |
|---|---|
| Latest main branch | ✅ Receives security updates |
| Older versions | ❌ Not maintained separately |
If you discover a security vulnerability, please do not disclose it in a public GitHub Issue.
Report it privately via:
- GitHub Security Advisories: Use the private vulnerability reporting feature
- Or contact the maintainers directly
We will acknowledge and assess the impact as soon as possible.
- Never hardcode API keys, passwords, or tokens in code
- Use
GetEnvnodes to read sensitive configurations from environment variables or~/.cursor/config.json - See flow-control-capabilities.md for environment variable injection methods
- AgentFlow invokes Cursor CLI (
agent) or OpenCode CLI (opencode) during execution - Ensure these CLI tools' permissions meet your security requirements
- Review script content in flow nodes before execution
- Cursor MCP auto-approval is enabled by default (
--approve-mcps) - To disable, set environment variable
AGENTFLOW_CURSOR_APPROVE_MCPS=0
(No disclosed security fixes yet)