Omni

Guide

Security & Permissions

How Omni keeps you safe — prompt injection detection, capability-based permissions, WASM sandboxing, and full audit trails.

Overview

Omni is designed with security as a core principle. Every piece of text that enters or leaves the system is scanned for prompt injection attacks. Every action an extension takes is gated by a capability-based permission system. And every extension runs in an isolated WebAssembly sandbox with strict resource limits.

Guardian

4-layer anti-injection pipeline

Permissions

21 capability types with scopes

Sandbox

Wasmtime WASM isolation

Guardian Anti-Injection Pipeline

The Guardian is a 4-layer scanning pipeline that detects prompt injection attacks, malicious instructions, and other adversarial inputs in real time. Each layer contributes a weighted score to produce an overall risk assessment.

01
Signature Scanner30%

Matches input against 79+ compiled regex patterns for known injection techniques. Detects encoding bypasses including base64, Unicode NFKC normalization, Cyrillic homoglyphs, and zero-width character stripping.

02
Heuristic Scanner25%

Applies 5 weighted behavioral rules that detect suspicious patterns independent of specific encodings. Catches novel attack variants that signatures miss.

03
ML Classifier30%

AI-powered classification that analyzes the semantic intent of text. Feature-gated behind the ml-classifier flag. Returns a confidence score when enabled.

04
Output Policy Validator15%

Validates tool calls against their declared schemas. Prevents extensions from invoking tools they haven't declared or passing invalid parameters.

Scan Verdicts

Clean

Score ≥ 80

No threats detected. Content proceeds normally.

Suspicious

Score 50 – 79

Potential threat. User is warned and can override if allow_override is true.

Malicious

Score < 50

High-confidence threat. Content is blocked.

Scan Points

The Guardian scans at 5 points throughout the agent loop, covering both incoming and outgoing data.

SP-1
User InputEvery message from the user is scanned before it enters the conversation.
SP-2
Prompt AssemblyThe full prompt (system + history + user message) is scanned before being sent to the LLM.
SP-3
LLM OutputEach response chunk from the LLM is scanned for injected instructions.
SP-4
Tool CallsBefore any tool is executed, its name and arguments are validated against declared schemas.
SP-5
Extension OutputData returned by extensions is scanned before being shown to the user or fed back to the LLM.

Sensitivity Levels

The Guardian sensitivity level controls how aggressively threats are flagged. Set it in omni.toml under [guardian].sensitivity.

strict

Lowest thresholds, most alerts. Best for high-security environments where false positives are acceptable.

balanced

Default. Good balance between detection and usability. Suitable for most use cases.

permissive

Highest thresholds, fewest alerts. Use when working with content that frequently triggers false positives.

Permission System

Every action that accesses a resource — network, filesystem, processes, messaging — is gated by a capability-based permission system. Extensions declare the permissions they need in their manifest, and users approve them at install time or on first use.

Permission Decisions

Allow

Permission granted. The action proceeds.

Deny

Permission rejected. The extension receives a PermissionDenied error.

Prompt

Ask the user to decide. A dialog appears in the UI.

Permission Duration

Once

Granted for this single call only.

Session

Granted for the current session. Revoked when Omni restarts.

Always

Persisted to the database. Survives restarts.

Default Policy

When no rule matches an incoming permission request, the default_policy setting determines the outcome. "deny" blocks silently. "prompt" asks the user. The default is "deny".

All 26 Capabilities

Each capability controls access to a specific resource type. Capabilities with scopes allow fine-grained control over exactly what the extension can access.

Capability
Scope
Description
network.http
domains, methods, ports
Make HTTP/HTTPS requests to external APIs.
network.websocket
domains
Open persistent WebSocket connections.
filesystem.read
paths, extensions, max_size
Read files from the host filesystem.
filesystem.write
paths, extensions, max_size
Create or modify files on the host filesystem.
clipboard.read
None
Read from the system clipboard.
clipboard.write
None
Write to the system clipboard.
messaging.sms
recipients, rate_limit
Send SMS text messages.
messaging.email
recipients, rate_limit
Send emails.
messaging.chat
recipients, rate_limit
Send chat messages via connected channels.
search.web
providers, rate_limit
Perform web searches.
process.spawn
executables, allowed_args, denied_args
Spawn OS processes and commands.
system.notifications
None
Display system notifications.
system.scheduling
None
Schedule cron jobs and recurring tasks.
device.camera
None
Access the device camera.
device.microphone
None
Access the device microphone.
device.location
None
Access device location data.
storage.persistent
max_bytes
Store persistent key-value data.
browser.scrape
domains, max_pages
Scrape web content using a browser engine.
ai.inference
max_tokens, rate_limit
Make LLM inference requests through Omni's providers.
channel.send
channels, rate_limit
Send messages through connected channel instances.
app.automation
allowed_apps, allowed_actions, rate_limit, max_concurrent
Control desktop applications via UI Automation. LOLBIN blocklist, password field protection, and audit logging enforced.
vcs.operations
allowed_repos, allowed_actions
Version control operations (git commit, branch, merge). Includes automatic secret scanning.
mcp.server
servers, allowed_tools
Connect to MCP tool servers and invoke their tools. Scoped by server name.
code.intelligence
None
Code intelligence features (LSP navigation, code search, symbol lookup).
agent.spawn
max_concurrent, max_iterations
Spawn sub-agents for parallel task execution.
debug.session
None
Control debug sessions — breakpoints, stepping, variable inspection via DAP.

WASM Sandbox

Every extension runs in an isolated WebAssembly sandbox powered by Wasmtime. Extensions cannot access the host system directly — they must go through host functions that are permission-gated.

Memory Limit

64 MB default

Configurable per extension via max_memory_mb

CPU Limit

5,000 ms default

Per tool call via max_cpu_ms_per_call

Concurrency

4 concurrent calls

Per extension via max_concurrent_calls

Extensions that exceed their memory or CPU limits are terminated immediately. The concurrency limit is enforced by a per-extension semaphore — additional calls block until a slot becomes available.

Audit Logging

When audit_enabled is true (default), every permission decision is recorded to the database with:

  • -Extension ID that requested the permission
  • -Capability that was requested (e.g., network.http)
  • -Decision made (allow, deny, or prompt result)
  • -Reason or context for the decision
  • -Session ID and timestamp

View the audit log from Settings → Permissions → Audit Log in the UI. You can filter by extension, capability, decision, and time range. Export to JSON or CSV for external analysis.

Kill Switch

The kill switch instantly revokes all granted permissions for all extensions. Use it in emergency situations when you suspect a compromised extension.

Access it from Settings → Permissions → Kill Switch or via the Tauri command kill_switch. After activation, every extension must re-request its permissions.

You can also revoke permissions for a single extension from the extension's detail panel without affecting others.

Next Steps

SDK Permission Scopes

Learn how to declare permissions in your extension manifest.

Guardian Configuration

Tune sensitivity, add custom signatures, and configure overrides.

Security & Permissions — Extension Safety | Omni AI Agent Builder