DotAIOS is local-first, but local files can still contain sensitive data. The safest rule is simple: memory files are for context, not secrets.
Users should store secrets in:
~/aios/.env
Generated AIOS folders include a .gitignore that ignores:
.env.env.*credentials.*token.**.pem*.key
.env.example is safe to commit because it contains placeholders only.
Agents should never ask users to paste API keys, passwords, tokens, private keys, or OAuth client secrets into chat. They should name the required variable and ask the user to edit .env locally.
Plugins can come from trusted local folders or trusted git URLs. The manifest declares permissions, and the CLI prints them before install, but DotAIOS does not sandbox plugin code.
Current rule:
- Install only plugins you trust and have reviewed locally.
- Use
--dry-runbefore install. - Do not treat the current plugin system as a public marketplace.
Git URL installs are supported, but they are still trust-based. Prefer known sources, run npx dotaios install <plugin> --dry-run, and review permissions and source before install.
Use these lanes for Google Workspace, MCP tools, schedules, plugins, and agent workflows:
- Green: local DotAIOS reads such as context, search, schedules, skills, and memory inspection.
- Yellow: read external data into terminal or agent output, with source attribution and no automatic durable write.
- Red: send, edit, delete, move, label, archive, create events, or write durable context/wiki/org/CRM memory. Ask first.
- Black: OAuth secrets, refresh tokens, credential files, private keys, passwords, and API keys. Never paste these into chat or memory.