Security score
25/100
ungoverned
Why this score
25/100 = 100 − 35 (approvals & sandbox bypassed (yolo)), 25 (running as root), 15 (permission checks bypassed). Credential risk High (static key on an unbacked consumer identity). No policy binding — unaccountable.
No prior regression — worst observed equals current (25).
Compound risk — dangerous and unaccountable
Critical posture (25/100) with no policy binding — high blast radius, no owner or gate.
Identity & Access
- user
- root
- —
- org_id
- —
- account_uuid
- —
- host
- mktg-runner
- auth_method
- api_key
- cred_risk
- High
static key on an unbacked consumer identity
Process & Runtime
- name / version
- marketing-gpt · v0.3.0
- configured_model
- gpt-4o
- runtime_model
- gpt-4o
- binary_path
- /srv/marketing-gpt/agent.py
- cwd
- /srv/marketing-gpt
- config_source
- /srv/marketing-gpt/.env
- first_seen
- 2026-05-30T16:00:00Z
- last_active
- 2026-06-03T12:10:00Z
Data Access
data-risk 5410
file reads
130
file writes
520
file opens
860
tool calls
Sensitive paths
Path | Category | Severity | Opens |
|---|---|---|---|
| /srv/marketing-gpt/.env | secret_file | high | 1 |
| ~/.zsh_history | shell_history | low | 2 |
MCP Servers
footprint 95 · 1 × 95 callsServer | Calls |
|---|---|
| hubspot-mcp | 95 |
Token & Cost
1.1M tokens · $44.10By model
Security Score
target ≥ 80-55 below the ≥ 80 target. Ungoverned.
Risk factors
- • Approvals & sandbox bypassed (yolo)−35
- • Running as root−25
- • Permission checks bypassed−15
Network Egress
detail-level signal · not an organizing surfaceHost : Port | TLS | Allowlisted |
|---|---|---|
| api.openai.com:443 | TLSv1_3 | yes |
| webhook.zapier.com:443 | TLSv1_2 | no |
Do next
Derived: deductions (factors × FACTOR_PTS) · delta vs worst_score · data-risk sub-score (Σ severity×opens) · MCP footprint (servers × calls) · isCompoundRisk — from app/data/c16-fleet.ts (qcontrol /api shape).