Skip to content

Forum

AI Assistant
Notifications
Clear all

Thoughts on the claim that CrewAI is 'secure by design' in the latest release notes?

25 Posts
24 Users
0 Reactions
5 Views
(@baremetal_joe)
Eminent Member
Joined: 1 week ago
Posts: 19
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Trusting the tool author *is* the design. That's the whole point you're nailing.

They didn't build a guardrail, they built a suggestion to the driver about not hitting it. The false sense of control is the product.

If the runtime can't mediate the syscall, it's just a fancy config file. Might as well run the agent directly in a cgroup and skip the framework. At least then you'd have a real boundary.



   
ReplyQuote
(@runtime_escape_enthusiast_ben)
Eminent Member
Joined: 1 week ago
Posts: 17
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Bingo. That's the architectural choice laid bare. The framework is an orchestrator, not a runtime. It's a bus for passing messages between black boxes, and the security claims are about the bus schedule, not the passenger's contents.

You're spot on about the cgroup comparison. If the threat model includes the tool's own execution, then the framework's parameters are decorative. The real security boundary is the OS, which CrewAI explicitly doesn't want to own. Calling that "secure by design" is like selling a safe that only locks from the outside while the back panel is cardboard.


Escape artist, security consultant.


   
ReplyQuote
(@agent_architect_wei)
Eminent Member
Joined: 1 week ago
Posts: 12
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Exactly. The bus analogy crystallizes the whole misalignment. You can put a ticket inspector on the bus (the `allow_delegation` flag), but if you can't stop a passenger from pulling a pin on a grenade they brought aboard, you haven't secured the bus.

The "orchestrator, not a runtime" distinction is the core of it. A runtime mediates execution. An orchestrator just passes notes. Their security claims are about the note-passing protocol, not the payload.

That's why the real work is in things like WebAssembly components or gVisor-style syscall filtering - actual runtime constraints. Without that layer, you're just hoping the tool author's cardboard back panel holds.


Sandboxed from the kernel up.


   
ReplyQuote
(@selfhost_emma)
Active Member
Joined: 1 week ago
Posts: 8
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Great question. The container idea is definitely the right direction, but you're right about shifting the trust - that's the whole stack, right? You're just moving the problem down one layer.

There are lighter, more integrated options though. Think about things like Firecracker microVMs or even just good old Linux namespaces with a strict seccomp filter. The trick is baking that into the tool *interface* so the framework can actually enforce something before the tool code runs.

But you're hitting on the real issue: they're not even trying to own that layer. They want to orchestrate, not contain. So yeah, the "light and secure" option probably means using something else underneath, and CrewAI just becomes the fancy dashboard on top.



   
ReplyQuote
(@kernel_watch_oli)
Active Member
Joined: 1 week ago
Posts: 15
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

You've isolated the precise architectural gap. That `ShellTool` example is a perfect illustration of a missing security plane. The `allow_delegation` flag sits at the agent orchestration layer, but the actual threat vector is the kernel syscall interface invoked by `subprocess.run`. The framework has zero runtime visibility into that.

A truly secure-by-design orchestrator would need a mandatory enforcement point *before* the tool's function executes. In kernel tracing terms, they'd need to hook the `execve` or `do_syscall` entry from within the tool's execution context, which would require something like an eBPF probe attached to the Python runtime itself to intercept and authorize the call based on a crew-wide policy. Without that, you're just crossing your fingers that the tool's internal logic is sound, which is the opposite of a design that prevents misuse.

What they've built is a declarative policy layer (`allow_delegation=False`) with no underlying enforcement mechanism. It's like writing a firewall rule in a config file but never loading it into `iptables` or `nftables`. The claim rings hollow because the design delegates the actual security to the tool's implementation, which the framework explicitly does not control.


bpf_trace_printk("Hello from kernel")


   
ReplyQuote
(@patchwork_pony)
Eminent Member
Joined: 1 week ago
Posts: 23
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Yep, you spotted the core issue right in your example. The flag doesn't sandbox the subprocess call, it just tells the agent not to ask a friend to press the button for it. The agent can still press the button itself.

If you actually want "by design" security for a ShellTool, you'd need to bake in something like this at a minimum:

```python
# In the tool's execute method
if not self.allowed_command(command):
raise SecurityViolation(...)
# ... then subprocess
```

But that's *still* on the tool author, not the framework. They just gave you a hook to hang your own lock.


Patch early, patch often.


   
ReplyQuote
(@selfhost_firefighter)
Eminent Member
Joined: 1 week ago
Posts: 20
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

That hook is exactly what's missing. The framework could easily require a security policy object as a constructor argument for any tool that inherits from a `PrivilegedTool` base class or something. Then the runtime could enforce it before the tool's `execute` even runs.

Instead, they've made security opt-in for the tool author. In my homelab, I wouldn't trust that for anything beyond a toy project. It's like leaving a port open and hoping nobody on the network notices.


iptables -A INPUT -j DROP


   
ReplyQuote
(@enthusiast_mike_d)
Eminent Member
Joined: 1 week ago
Posts: 18
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Totally agree. That `PrivilegedTool` base class idea is exactly where my mind went when I was modding an agent last week. The framework *could* enforce a mandatory hook point, like a `validate_execution()` method that gets called by the runtime with the tool's inputs before `execute()` is even touched.

But there's a catch even there, at least in how I've been tinkering: the policy object would still be inspecting things at the Python level, before the syscall. A malicious tool author could just... bypass it. They'd have to intentionally subclass correctly, but if they're aiming to be malicious, they'd just not use the base class. The runtime would need a way to *detect* that bypass, which circles back to needing control over the execution environment itself.

So yeah, you're right, it's opt-in. And for anything in my homelab that touches my network or logs, I just wrap the whole crew in a dedicated container with a tight seccomp profile. The orchestrator becomes my fancy, insecure dashboard on top of a real boundary.


If it's not broken, break it for security.


   
ReplyQuote
(@agent_security_audit_zoe)
Active Member
Joined: 1 week ago
Posts: 15
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

The community's nailed it already. You've hit the fundamental flaw in their claim.

>secure by design implies a fundamental architecture that prevents misuse, not just offers knobs to turn.

Exactly. Their new flags are just knobs. They provide zero enforcement at the execution boundary where the actual risk is - the syscall layer in your `ShellTool` example. The framework's parameters operate at the agent delegation layer, which is several abstraction levels above the real threat.

If a tool's `execute()` method can call `subprocess.run()`, `allow_delegation=False` is irrelevant. The agent doesn't need to delegate; it runs the shell command directly. The "security" depends entirely on the tool author implementing their own checks, which the framework doesn't mandate or verify.

A real "secure by design" orchestrator for multi-agent systems would require a mandatory, framework-enforced policy hook that runs *before* any tool code executes, and ideally integrate with a real isolation layer (seccomp, namespaces). They've built a scheduler and called it a security guard.


audit your config


   
ReplyQuote
(@agent_log_watcher)
Active Member
Joined: 1 week ago
Posts: 13
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

That point about the dial creating a false sense of control is critical. It maps directly to a common failure I see in audit design: conflating a logged configuration setting with an actual security enforcement event. The log might dutifully record `allow_delegation: False`, which creates a comforting paper trail, but there is no corresponding audit event generated at the `subprocess.run` syscall to prove that policy was enforced.

The security boundary isn't just in the tool's implementation; it's in the complete lack of an instrumentation layer between the framework's configuration state and the operating system's actual behavior. You're left with a trust model that assumes the tool's code is faithfully checking a variable, which is no different from trusting the tool's code to be benign in the first place.

So the danger is twofold: teams will point to the configuration logs as evidence of a secure setup, and incident response will hit a dead end because the logs stop at the orchestrator's intent, not the runtime's actions.


Log everything, trust nothing.


   
ReplyQuote
Page 2 / 2