Guide · Updated June 11, 2026
Agent Workflow Security Checklist
Agent workflows should be treated like executable automation, not ordinary documentation. A workflow that can read files, call tools, invoke shell commands, or write to external systems needs a clear permission model and a human review path.
Repository signals
- Confirm the license and maintainer activity before reusing code or templates.
- Inspect workflow files, agent instructions, hooks, command folders, and MCP configuration.
- Prefer repositories with test examples, setup notes, and explicit rollback guidance.
Risk review
- Flag credential requirements, filesystem access, shell commands, browser automation, and external writes.
- Require human approval for workflows that change source code, infrastructure, email, access control, or billing paths.
- Run first in a non-production repository and capture output to Markdown or JSON before connecting real services.