PRAISONAI_ALLOW_LOCAL_TOOLS; without it, dangerous local tools stay blocked by default.
Quick Start
How It Works
| Phase | Action | Default Behavior |
|---|---|---|
| Startup | Check environment variables | Block dangerous features |
| Request | Validate security permissions | Allow only safe operations |
| Execute | Run with appropriate restrictions | Fail-safe mode active |
Environment Variables
PRAISONAI_TOOL_SAFETY
Controls whether dangerous built-in tools (shell exec, file delete/move/copy, code execution) are gated by the approval system. Default: unset βdefault preset active (blocks destructive ops in CI, asks on TTY)
| Value | Behaviour |
|---|---|
| unset | default preset β denies destructive ops in CI, asks on TTY |
off / full / none / 0 / false | Bypass all gating (trust the LLM) |
safe / read_only | Block all tools in DEFAULT_DANGEROUS_TOOLS |
default | Explicit default (same as unset) |
--dangerously-skip-approval on praisonai code automatically exports PRAISONAI_TOOL_SAFETY=off so that child processes inherit the bypass.PRAISONAI_ALLOW_LOCAL_TOOLS
Controls automatic loading oftools.py files from the current working directory.
Security Risk: Remote Code Execution (RCE) via malicious tools.py files
83b8b14c):
praisonaiwrapper agent generator (generate_crew_and_kickoffand_run_praisonai), now delegating toToolResolver.get_local_callables()/ToolResolver.get_local_tool_classes()praisonai.tool_resolver.ToolResolver._load_local_tools(single source of truth; the env-var gate itself is enforced bypraisonai._safe_loader.load_user_module)praisonai runYAML workflows (recipetools.pyunder_run_yaml_workflow)praisonai research --tools <file.py>praisonai chat --rewrite-tools <file.py>and--expand-tools <file.py>- Generic CLI
_load_tools(tools_path) - HTTP API:
praisonai.api.call.import_tools_from_file(raisesValueErrorif disabled) - Path-traversal guard: files outside the current working directory are refused even when
PRAISONAI_ALLOW_LOCAL_TOOLS=true praisonaiagents.workflows.workflows.AgentFlow(SDK-level: skipstools.pynext to the workflow class when unset)
Even when
PRAISONAI_ALLOW_LOCAL_TOOLS=true, the loader refuses any path outside the current working directory. This is a deliberate defence-in-depth layer for HTTP-API callers (praisonai.api.call.import_tools_from_file) where the path can come from network input. Move the tools.py you want to load into your CWD if you hit Refusing to exec ... outside working directory. in the logs.PRAISONAI_ALLOW_LOCAL_TOOLS accepts only true (case-insensitive) in the wrapper (praisonai). Values like 1, yes, or on are not truthy for the wrapper (unlike PRAISONAI_ALLOW_TEMPLATE_TOOLS).
Truthy-value inconsistency across surfaces: The wrapper (
praisonai) accepts only true; the SDKβs AgentFlow (praisonaiagents.workflows.workflows) accepts true, 1, or yes; the SDKβs recipe path in workflows.py accepts true, 1, yes, or on. If you rely on PRAISONAI_ALLOW_LOCAL_TOOLS=1, the wrapper will reject it even though the SDKβs AgentFlow will accept it. This is the SDKβs actual behavior β set true to be safe across all surfaces.| When | Where it appears | Message |
|---|---|---|
| Env var unset, CLI tool loader (research/rewrite/expand/recipe) | stdout (rich [yellow]) | Warning: Tools loading disabled. Set PRAISONAI_ALLOW_LOCAL_TOOLS=true to enable. |
| Env var unset, agent generator | logger.warning | Refusing to exec %s: set PRAISONAI_ALLOW_LOCAL_TOOLS=true to enable. |
Env var unset, HTTP API (api/call.py) | raised exception | ValueError("Local tools loading disabled. Set PRAISONAI_ALLOW_LOCAL_TOOLS=true to enable.") |
| Path outside CWD, env var set | logger.warning | Refusing to exec <path>: outside working directory. |
| Path outside CWD via HTTP API, env var set | raised exception | LocalToolsDisabled("Refusing to exec <path>: outside working directory.") |
Env var unset, SDK AgentFlow with tools.py present | logger.debug | Skipping tools.py load for <class>: set PRAISONAI_ALLOW_LOCAL_TOOLS=true |
PRAISONAI_ALLOW_TEMPLATE_TOOLS
Controls implicittools.py autoload by the template tool-override system, both from the current working directory and from a recipeβs template directory.
Security Risk: Remote Code Execution (RCE) when loading recipes/templates from untrusted sources (e.g. recipes fetched from a remote registry)
Accepted truthy values:
1, true, yes, on (case-insensitive, whitespace-stripped)
Affected Components:
praisonai.templates.tool_override.create_tool_registry_with_overridespraisonai.templates.tool_override.resolve_tools
override_files, override_dirs, and tools_sources continue to work without this opt-in and are the recommended way to load custom tools.
Usage Example:
PRAISONAI_ALLOW_PLUGIN_DISCOVERY
Controls automatic discovery and loading of plugins from.praisonai/plugins/ (project-level) and ~/.praisonai/plugins/ (user-level) directories.
Security Risk: Remote Code Execution (RCE) via malicious third-party plugins discovered on sys.path.
Accepted truthy values:
true, 1, yes (case-insensitive, whitespace-stripped). on is not accepted.
Affected Component: praisonaiagents.plugins.manager.PluginManager.discover_and_load_plugins
Default behavior when unset: discover_and_load_plugins() is a no-op and returns 0. A logger.debug message fires: Plugin auto-discovery disabled; set PRAISONAI_ALLOW_PLUGIN_DISCOVERY=true.
Usage Example:
PRAISONAI_PROJECT_ROOT
Sets the allowed root directory for agent output file writes. Writes outside this root are silently blocked. Security Risk: Path-traversal write outside the project tree (e.g.output_file="../../etc/passwd").
os.getcwd() at save timeAffected Component:
praisonaiagents.agent.memory_mixin.MemoryMixin._save_output_to_file
Silent-failure semantics: When the output path resolves outside the project root, the save returns False, logs Output file %r is outside project root %r; skipping save at logging.warning, and prints β οΈ Output path outside project root: <path> to stdout. No exception is raised.
Usage Example:
ALLOW_LOCAL_CRAWL
Bypasses SSRF protection for loopback, private, link-local, multicast, and unspecified IP addresses in web crawl tools. Security Risk: Server-Side Request Forgery (SSRF) β agents fetchinghttp://169.254.169.254/... (cloud metadata), http://localhost:6379 (Redis), etc.
{"error": "URL blocked by SSRF policy"} per blocked URLAccepted truthy values:
true only β exact, case-sensitive match. This is stricter than other env vars on this page.
Affected Components:
praisonaiagents.tools.web_crawl_tools(both_crawl_with_crawl4aiand_crawl_with_httpxvia_is_safe_crawl_url)praisonaiagents.tools.url_safety.is_safe_http_url
PRAISONAI_ALLOW_JOB_WORKFLOWS
Controls execution of job and hybrid workflow types that can run shell commands and scripts. Security Risk: Remote Code Execution (RCE) via malicious YAML workflows- Job workflows: Direct shell, Python, and script execution
- Hybrid workflows: Combined agent + job execution
PRAISONAI_BROWSER_ALLOW_REMOTE
Controls browser server binding to non-loopback interfaces (0.0.0.0, remote IPs). Security Risk: WebSocket session hijacking and unauthorized browser access- Binds to
127.0.0.1(localhost only) - Blocks attempts to bind to
0.0.0.0or remote interfaces
PRAISONAI_RUN_SYNC_TIMEOUT
Default maximum seconds the wrapperβs sync-to-async bridge will wait for a coroutine to complete. Default:300 (5 minutes)
praisonai CLI entry and wrapper-based server (gateway, a2u, mcp_server, scheduler). The SDK (praisonaiagents) uses a separate bridge β see Async Bridge.
Common Patterns
- Development Mode
- Production Mode
- Docker Deployment
Migration Guide
Upgrading from Vulnerable Versions
Identify Usage
Check if you use any of these features:
- Local
tools.pyfiles - Recipes / templates that ship a
tools.pyand rely on it being implicitly loaded - Job or hybrid workflows with shell/script execution
- Browser server binding to
0.0.0.0 - HTTP API callers that pass a
file_pathtopraisonai.api.call.import_tools_from_fileβ these now raiseValueErroruntil you opt in
Best Practices
π Principle of Least Privilege
π Principle of Least Privilege
Only enable environment variables for features you actively use. Each variable increases your attack surface.
π’ Production Environment Isolation
π’ Production Environment Isolation
Never enable dangerous variables in production unless absolutely necessary. Use staging environments for testing.
π File System Security
π File System Security
When
PRAISONAI_ALLOW_LOCAL_TOOLS=true or PRAISONAI_ALLOW_TEMPLATE_TOOLS=1 is set, ensure your working directory doesnβt contain untrusted tools.py files. This is especially risky for recipes fetched from remote registries.π Network Security
π Network Security
When
PRAISONAI_BROWSER_ALLOW_REMOTE=true, use firewalls and authentication to protect browser endpoints.Security Advisories
These environment variables address the following security vulnerabilities:| Advisory | Severity | Description | Environment Variable |
|---|---|---|---|
| GHSA-g985-wjh9-qxxc | High | RCE via Automatic tools.py Import | PRAISONAI_ALLOW_LOCAL_TOOLS |
| GHSA-xcmw-grxf-wjhj | High | Implicit RCE via template/CWD tools.py autoload | PRAISONAI_ALLOW_TEMPLATE_TOOLS |
| GHSA-vc46-vw85-3wvm | Critical | RCE via job workflow YAML | PRAISONAI_ALLOW_JOB_WORKFLOWS |
| GHSA-8x8f-54wf-vv92 | Critical | WebSocket session hijacking | PRAISONAI_BROWSER_ALLOW_REMOTE |
| pending | High | SSRF via web crawl to loopback/private addresses | ALLOW_LOCAL_CRAWL |
- praisonai:
>=0.0.57 - praisonaiagents:
>=0.0.23
PRAISONAI_ALLOW_LOCAL_TOOLS enforcement to research/rewrite/expand/recipe tool-loading paths and the HTTP API, and added a CWD-only path constraint as defence-in-depth. No new advisory was filed; the threat model is unchanged from GHSA-g985-wjh9-qxxc.
Related
Guardrails
Content filtering and safety controls
Permissions
Agent permission management system

