Frequently Asked Questions β
π Is this secure? β
Yes, provided you treat the agent as a potentially misaligned third party and take appropriate precautions:
- Always run agent-generated code in a sandbox.
- Never allow the agent to make unrestricted requests to untrusted targets.
Weβre also working on features to make secure defaults easier out of the box.
π How can I manage tokens if the agent is in the browser? β
Short answer: never put provider secrets in the browser. Authenticate the user, then have the agent call your backend gateway with the user's token; the gateway holds provider/API keys, enforces policy, and performs the action on the user's behalf.
- Never embed
OPENAI_API_KEY(or similar) in client code.
π₯ Can the agent cause irreversible damage? β
Kaset integrates with isomorphic-git to track every change made by agents. This gives your users version control βfor freeβ and makes it simple to review, roll back, or revert unwanted edits, so changes are never truly irreversible.
π Canβt I just expose my functionality via MCP? β
Absolutely. In fact, for some well-defined use cases, MCP may be the simplest path.
Where Kaset shines is in fuzzier or more open-ended tasksβlike creating a custom theme, modding an interface, or building plugins directly inside your app.
In these cases, file-based environments give agents more flexibility than rigid RPC-style APIs.