-
Notifications
You must be signed in to change notification settings - Fork 0
Spool Security
Spools are the source of truth for which modules run on your system. This page explains the security model and what you need to know before using a spool.
https://github.com/Muxcore-Media/spool
The official MuxCore spool is maintained by the MuxCore team. All modules it lists are under the Muxcore-Media GitHub organization. When you run:
muxcored --tag defaultyou are loading the default tag from the official spool. Core fetches the tag definition, resolves the listed modules, and launches them.
You can point MuxCore at any spool:
muxcored --tag my-setup --spool https://github.com/some-user/custom-spoolThis is a trust decision. A third-party spool can:
- List modules that contain malicious code
- Point to forks with backdoors or data exfiltration
- Omit security-critical modules (e.g., auth, rate limiting) and replace them with stubs
- Specify outdated versions with known vulnerabilities
- Change its module list at any time — the tag you fetched yesterday might be different today
Modules run with the same OS privileges as the core process. A malicious module can access your filesystem, network, environment variables, and any data MuxCore manages.
-
Audit the module list. Open the spool repo and read every
tags/<name>.jsonfile. Know exactly which modules will run. - Verify each module repo. Check that the repo URLs point to legitimate sources, not lookalike forks.
- Check for security modules. Make sure the spool includes auth, rate limiting, and other security infrastructure — and that they point to real implementations, not stubs.
-
Pin to a specific version. Tags in the spool specify module versions. Use a tag that pins explicit versions, not one that floats on
latest. - Test in isolation first. Run MuxCore in a container or VM with restricted access before deploying on production hardware.
When you use the --tag flag, MuxCore prints a security disclaimer to stderr before loading any modules. If you use a non-default spool (--spool), the disclaimer is displayed regardless.
Core does not currently:
- Verify module binary signatures or checksums
- Sandbox module processes (they run with full user privileges)
- Validate that a spools modules havent changed since you last checked
These are on the roadmap. For now, the security boundary is your diligence.
Anyone can host a spool. See the official spool repo for the format:
your-spool/
├── catalog.json # Module catalog
├── tags/
│ ├── default.json # Tag definitions
│ └── custom.json
└── README.md
A spool can be any git repo with a tags/ directory. GitHub repos work out of the box. Non-GitHub repos need to serve the tags/ directory over HTTP.
| Threat | Risk | Mitigation |
|---|---|---|
| Malicious module in third-party spool | High | Audit spools before use |
| Spool tag changed after review | Medium | Pin to a specific commit |
| Module repo compromised | High | Module binary signing (planned) |
| Module escapes to host | High | Sandboxing (planned) |
| Official spool compromised | Low | GitHub org security, 2FA required |