You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to separate configuration directories for each project.
For example, I wanted to keep skills that are only used in a specific project grouped together.
Therefore, I changed the behavior so that if a .yagi/ directory exists in the current directory, it is prioritized over ~/.config/yagi/.
I also considered allowing the configuration directory to be specified via an environment variable (e.g., YAGI_CONFIG_DIR=/path/to/project/.yagi).
However, even if configuration via environment variables were supported, I thought it would be clearer to support non-global configuration directories by default.
Furthermore, in the future, it might be necessary to have a feature that merges files from global and local configuration directories (e.g., allowing skills from both ~/.config/yagi/skills/ and .yagi/skills/ to be used).
Please point out any better naming conventions or smarter methods if you have them.
However, auto-loading .yagi/ from the current directory has a serious security risk. If a user clones a malicious repository containing a .yagi/ directory, the following are loaded without any user approval:
.yagi/tools/*.go — arbitrary code execution via yaegi (unrestricted.Symbols)
.yagi/IDENTITY.md — system prompt override (prompt injection)
If you want to use auto-loading .yagi, this needs at minimum an explicit opt-in (e.g., confirmation prompt on first use) or restricting which files can be loaded from local config.
Specifying the config directory explicitly (e.g., via YAGI_CONFIG_DIR environment variable or a command-line flag) would be safe since it requires user intent. The concern is with automatic detection of .yagi/ in the working directory.
@mattn
Thanks for the detailed reply!
Totally get the security concerns with auto-loading—makes total sense.
I'll tweak it to use YAGI_CONFIG_DIR for explicit control, building on the current setup (PR coming soon).
Closing this PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi!
I want to separate configuration directories for each project.
For example, I wanted to keep skills that are only used in a specific project grouped together.
Therefore, I changed the behavior so that if a
.yagi/directory exists in the current directory, it is prioritized over~/.config/yagi/.I also considered allowing the configuration directory to be specified via an environment variable (e.g.,
YAGI_CONFIG_DIR=/path/to/project/.yagi).However, even if configuration via environment variables were supported, I thought it would be clearer to support non-global configuration directories by default.
Furthermore, in the future, it might be necessary to have a feature that merges files from global and local configuration directories (e.g., allowing skills from both
~/.config/yagi/skills/and.yagi/skills/to be used).Please point out any better naming conventions or smarter methods if you have them.