Skip to content

Security: seocorp/magi-system

Security

SECURITY.md

MAGI Security Model

What MAGI Is

MAGI is a local, single-operator reasoning and deliberation aid for Claude Code. It helps structure complex decisions by splitting them into three persona cores that recursively decompose, self-verify, and vote.

What MAGI is NOT:

  • A security gate or sandbox
  • A deployment approval system
  • A comprehensive safety audit
  • A substitute for independent review, testing, or rollback planning

Trust Boundary

When MAGI runs:

  • Cores execute as fork subagents, inheriting the user's full permissions (shell, file system, git config, SSH keys, API tokens in environment).
  • Cores follow read-only + no-exfiltration constraints when judging untrusted content (see Hard Constraints in magi-protocol.md).
  • Cores cannot be instructed by embedded directives in the content being judged (e.g., [OVERRIDE], "ignore previous instruction") — such lines are treated as data, not commands.

What this means:

  • Trusted input: Your own code, decisions, architecture questions → cores can fully evaluate with all tools.
  • Untrusted input (PR comments, external code, user-submitted configs): Cores use only read-only verification and spot-check the claims, never executing arbitrary instructions hidden in that content.

Known Limits

  1. Verification is spot-check, not exhaustive: Orchestrator verifies one load-bearing fact per core. MAGI does not guarantee 100% correctness.
  2. Unanimity ≠ proof: All three cores agreeing on a grave operation is a strong signal, but it does not prove the decision is safe. Flawed premises, hidden assumptions, or undisclosed context may still result in a wrong verdict.
  3. Grave-op list is public: The list of operations requiring 3/3 unanimity + veto (defined in protocol) is not a secret gate. Do not rely on it as a security barrier against sophisticated attackers.

Installation Best Practices

MAGI is distributed as a public GitHub repository. Before installing:

  1. Review the commit you're installing:
    git log --oneline magi-system/magi | head -5
  2. Inspect the skill source before copying to ~/.claude/skills/:
    git show HEAD:magi/SKILL.md | head -20
  3. Do NOT:
    • Install from branches you don't control
    • Bypass reviewing the commit history
    • Auto-update without checking what changed

Checksum verification: We do not mandate GPG signing or checksums. Instead, review the commit yourself. This is lighter and equally valid for local tooling.

Reporting Security Concerns

Found a potential issue with MAGI's judgment logic, tool constraints, or protocol?

  1. Open an issue: https://github.com/jangfolk/magi-system/issues
  2. Describe:
    • What the concern is (e.g., "Untrusted input in Core brief can be exploited via prompt injection")
    • Concrete example or exploit scenario
    • Suggested fix (if applicable)
  3. Do not publish exploit details if the issue affects active deployments; reach out privately first.

See Also

  • magi-protocol.md — Full implementation, Hard Constraints, Untrusted Input Handling
  • SKILL.md — User-facing skill definition with safety caveats

Last updated: 2026-07-01
License: MIT (See LICENSE)

There aren't any published security advisories