Security

How OpenBook gates dangerous actions, runs plugins, and what to harden when you self-host.

Auth model

Admin and dangerous endpoints (plugin install/activate, settings, mail, model dispatch, skill execution) are gated behind an admin check. Plugin routes declaring auth: 'admin' fail closed.

Plugins run in-process

Activating a plugin imports its code in the host process. Keep install/activation admin-only and only activate plugins you trust. Audit the Plugin table for unexpected is_active=1 rows after any incident — a rogue row re-activates on every boot.

Hardening checklist

Strong admin password; rotate provider + plugin secrets you've exposed.
Bind the backend to loopback; expose only nginx with TLS.
Firewall + fail2ban; keep the OS patched.
Webhook triggers require a non-empty secret (constant-time compare).
Review which plugins are active; treat the plugin store as trusted code.

Self-hosting