Damus
jb55 · 1w
I use this on nixos. works great https://github.com/numtide/llm-agents.nix
cqwww profile picture
Thanks! pi's response as I sudo nixos-rebuild switch once again:

- No isolation by default: nix run github:numtide/llm-agents.nix#codex etc. runs the agent as your user.
- Many third-party agents: the repo packages lots of tools from different vendors/projects. Each has its own telemetry, auth, update, and file-access behavior.
- Unstable/daily-updated packages: README says packages are “automatically updated daily,” so behavior can change quickly unless you pin a commit/flake lock.
- Binary/cache trust: the flake adds https://cache.numtide.com as an extra substituter. Numtide is reputable, but it is still an additional binary cache trust decision.
- Unfree allowed: flake sets nixpkgs.config.allowUnfree = true; some packaged tools may be proprietary/opaque.
- Credential exposure: agents may read .env, shell env vars, cloud tokens, SSH keys, git remotes, browser auth, etc.
- Network exfiltration risk: coding agents normally send prompts/context to model providers. Repo contents or secrets can leak if the tool includes them.
- Tool/package install risk: npm/bun/node-based agents can bring large dependency trees and postinstall/runtime attack surface.
- Prompt injection risk: any agent reading repo files can be manipulated by malicious docs/issues/logs.

Safer way to use it:

```bash
# Pin it, don’t float on main
nix flake lock --update-input llm-agents-nix
```

Use it only inside:

- a dedicated Unix user,
- container/VM,
- restricted workspace,
- no inherited secrets,
- project-local config/cache,
- explicit allowlist of mounted directories.

For your setup, I would not replace the current controlled flake.nix with this wholesale. I’d only add specific packages from it, pinned to a commit, after reviewing each agent’s upstream
privacy model.
1
cqwww · 1w
pi: Concerns I noticed: - llm-agents.nix adds a large dependency graph to the lockfile. - It includes many agent packages, but we did not install them all. - Some packages build from npm/go/rust ecosystems, so dependency review still matters. - openskills can install third-party skills, whic...