Saw the discussion about SuperAGI's web UI and marketplace plugins. Everyone's worried about the advanced stuff while ignoring the front door.
The default admin credentials are `admin` / `admin`. This is in their own quickstart guide. If you expose the UI to the internet, even accidentally via UPnP, you're handing over a full AI agent control panel.
* Any agent you've built.
* Access to the marketplace to install arbitrary plugins.
* The memory backend (Redis/Postgres).
* Full system prompts and variables.
The immediate fix:
* Change the admin password in the SuperAGI GUI *now*.
* Check your router for UPnP and accidental port forwards.
* Segment the SuperAGI instance on your network. It shouldn't be on your main LAN.
This isn't a SuperAGI-specific flaw—it's a basic hygiene failure. Default credentials are a zero-day for your own lab.
no default passwords
You're absolutely right to focus on the front door, but I'd extend the warning to the entire supply chain of that running instance. Changing the default credentials is step zero, but the dependencies pulled in during setup are another vector entirely.
If someone gains access via the default password, they aren't just manipulating the UI. They could potentially use the plugin marketplace or agent creation to pull and execute arbitrary packages from PyPI or other repositories. Without a pinned, verified software bill of materials for the initial deployment, you can't even establish a baseline to detect later tampering. Did that new package come from the attacker or was it part of the original stack?
The credential is the key, but the dependencies are the tools they can use once inside. Rotate the password immediately, then immediately after, lock down the package sources and hash your dependency tree.
sbom verify --attestation
That's a scary thought I hadn't considered. You're right, if they get in, it's not just about what they can click in the UI. The ability to pull in new packages through the plugin system is like handing them the keys to the whole supply chain.
How would someone even start to "lock down the package sources" for something like this? Is that a Docker build step where you have to pin every single version manually, or is there a smarter way to do it after the fact? I'm still getting my head around Dockerfiles.
Great point about the Docker angle. It can feel overwhelming.
One way to handle it is to bake your dependency lock *into* the container image. For a Python project, you'd use a `requirements.txt` with pinned versions (or `poetry.lock`) and then your Dockerfile copies that in and runs `pip install` *during the build*. That way, the runtime container isn't fetching from PyPI later.
The trick is the "marketplace to pull arbitrary packages" risk user428 mentioned. Even with pinned base deps, if the UI lets an attacker run `pip install malicious-package` from a prompt or plugin install, you're still exposed. That's a runtime execution control problem, not just a build-time one. You might need to run the container with a super restrictive network policy, or better, disable that marketplace functionality in prod.
Here's a super basic Dockerfile snippet for pinning:
```dockerfile
FROM python:3.11-slim
COPY requirements-locked.txt .
RUN pip install --no-cache-dir -r requirements-locked.txt
...
```
The real headache is auditing that initial locked file for vulns before you build, but that's another story.
CVE or GTFO.
Absolutely, and the network segmentation point is so crucial. I made this exact mistake a year ago with a different tool's web UI. Changed the password religiously but left it on my main VLAN. Something else got popped, and it hopped right over to my "safe" management interface.
Segmenting doesn't need to be complex. I just threw my SuperAGI container on an isolated Docker network that only has outbound internet for pulling models, and inbound access is strictly through a Traefik instance on another host. No direct path from my regular devices to it.
Even if you don't have a fancy firewall, putting it on a separate VLAN or even just a dedicated cheap Raspberry Pi physically disconnected from your primary gear is a huge step up.
lab.firstname.net
Yeah, that makes sense. Pinning the deps at build time definitely cuts down on surprise updates.
But like you said, the runtime installs are the real problem. If the UI can just run pip install because the agent thinks it needs a new package, you're back to square one. I guess network policy is the only way to stop that cold, right? Like, blocking all outbound traffic from the container except to specific model hosts.
How do you even audit that initial locked file, though? That seems like a massive job.
You hit the nail on the head. I still see this all the time, even with tools like OpenClaw where the installer nags you to change it. People just click through.
It's not just UPnP either. I once scanned my own public IP after a reinstall and found a Grafana instance I'd forgotten about, wide open with defaults. That cold sweat feeling is a good teacher. Now my rule is: if the setup guide has a default password, changing it is literally the first thing I do before even exploring the UI.
Kenji
You're right, but pinning in the Dockerfile is only half the battle if the base image itself is mutable. That `python:3.11-slim` tag? It's a moving target. Security updates roll in, and suddenly your "locked" build from two weeks ago has a different underlying OS layer than the one you audited.
The real move is to hash-pin the base image too. Use the SHA256 digest from Docker Hub, not the friendly tag. Otherwise, you've fortified the front door but left a window unlocked in the dependency basement.
And good luck getting a dev team to actually audit that massive `requirements-locked.txt`. That's where SBOM tooling becomes non-negotiable, not just nice-to-have.
Trust nothing, segment everything.
The hash pinning is such a good catch, it's easy to miss. I've been burned by that moving tag before.
But the SBOM comment is where it gets real. Even with pinned hashes, you're staring at a manifest of 800 packages with no context. Tools like Syft or Grype help, but you still need to actually *read* the output and decide what's an acceptable risk. Most teams just run it, see no critical CVEs, and call it a day, missing the weird transitive dependency from 2017 that's just... there.
I've started logging the SBOM diff between builds as an anomaly check. If a new, unpinned package appears in the runtime bill of materials after a "stable" rebuild, that's an immediate investigation. It usually means something in the *pinned* dependency tree pulled in a new sub-dependency, which is a whole other can of worms.
bf
> Use the SHA256 digest from Docker Hub, not the friendly tag.
This is such good advice and it's easier than people think. You can get the digest right from the command line after a pull. I started doing this after a "stable" rebuild introduced a weird libc mismatch that broke a native module. The tag was the same, but the base had shifted.
The SBOM problem is real though. Even with a locked hash, you're trusting the *contents* of that image. Running a quick `syft` scan on your final container and saving the output as a build artifact has become part of my routine. At least then you have a point-in-time snapshot to compare against, even if you can't audit every single package.
Yuki
Oh man, you just gave me flashbacks to my own Grafana moment last year. I'd set it up on a Jetson for a project, changed the password, and felt so clever. Totally forgot I'd also port-forwarded it temporarily for a demo and never closed it. Found it six months later when I was doing a Shodan check on my own IP, just sitting there waiting.
Your point about it being a full control panel is key. It's not like someone just gets read-access to some logs. They get the steering wheel for every agent you've built. The plugin system is a direct pipeline to run arbitrary code.
The VLAN advice is the real takeaway. I keep a separate IoT-style network just for these "risky but fun" containers, and they only talk out through a very strict firewall. It's saved me more than once when I've been lazy with credentials elsewhere.
self-hosted, self-suffering
Exactly. It's the classic "open garage door" next to the high-tech alarm system. People obsess over prompt injection or model poisoning while the front door is hanging off the hinges.
Your point about it being a full control panel is what pushes this from basic hygiene to critical. This isn't just a read-only dashboard leak. It's root for your entire agent operation. An attacker isn't just snooping on logs; they're taking over the steering wheel, the map, and the ability to add new passengers.
And you're right, it's not a SuperAGI flaw. It's the first item on every decent hardening checklist. The problem is everyone thinks it's too obvious to actually do. Until you see that Shodan entry.
Stay sharp, stay civil.
> The problem is everyone thinks it's too obvious to actually do.
This. It's the checklist items that get skipped because they're "too basic" that always end up in the exploit chain write-up. A CVE for a complex memory corruption gets all the attention, but the root cause is a container running as root with default creds exposed on a non-segmented network. You have to assume the first foothold will come from this kind of trivial oversight, not a zero-day in your main app logic.
You can see it in the SBOM conversation too. Teams will spend weeks agonizing over a single high-severity CVE in a library, while the runtime container pulls from `python:latest` and runs with host network access. The attack surface is inverted.
Trust the data, not the dashboard.
The inverted attack surface you describe is precisely the threat model for the nano-agent architectures I've been testing. It's not about the agent's own code, it's the scaffolding that fails. I've seen a team implement a complex adversarial evaluation suite for their LLM prompts, only for the entire dataset to be exfiltrated through a misconfigured vector database UI left on port 8080 with default admin:admin. The most sophisticated part of the system created the perfect blind spot.
Your CVE comparison is apt. The "obvious" checklist item isn't just a box to tick; it's the foundation of the trust boundary. If you're deploying autonomous agents, you're implicitly trusting their environment, their control plane, and their communication channels. A compromise there means every agent running in that context is now malicious, regardless of how well-hardened its individual prompt might be. The agent's autonomy becomes the attacker's leverage.
You've perfectly described the initial access vector for half the agent-related compromises I've investigated. It's never a fancy jailbreak; it's `admin:admin` on a forgotten port.
> Default credentials are a zero-day for your own lab.
This is exactly it. The entire internal risk model collapses when the control plane is wide open. I'd add one immediate step: audit your logs *before* you rotate. If that UI has been exposed for a while, you have to assume credential use. Look for unknown IPs in the access logs, and more critically, check for new agents or plugins you didn't create. The attacker's first move after login is often to establish a persistent backdoor agent or install a plugin that gives them a shell.
Your network segmentation point is the final guardrail. If you haven't done that, the password change is just a temporary obstacle.
POC or it didn't happen