Security is not an afterthought
Your code, your keys, your data. Skulptor is built with defense in depth, from OS-level key storage to sandboxed extensions and auditable agent actions.
OS keychain storage
API keys and tokens are stored in your operating system's native keychain. macOS Keychain, Windows Credential Manager, or Linux Secret Service. Never in plain text, never in config files.
Sandboxed extensions
Every extension runs in an isolated sandbox with explicit permission grants. Extensions cannot access the filesystem, network, or other extensions without your approval.
Scoped filesystem access
The IDE can only access folders you explicitly open. Agent file operations are restricted to the workspace root. No silent reads outside the project boundary.
Terminal approval settings
Configure which commands agents can run automatically and which require manual approval. Set allowlists, blocklists, and approval prompts per workspace.
Audit logging
Every agent action, file modification, terminal command, and API call is logged to a local audit trail. Export logs for compliance review at any time.
Code signing
All Skulptor releases are code-signed and verified. Extensions in the marketplace are scanned for known vulnerabilities before listing.
Data practices
Compliance roadmap
Working toward enterprise-grade certifications.
SOC 2 Type II
In progressAudit in progress. Expected completion Q3 2026.
GDPR compliance
PlannedData processing agreements and privacy controls.
HIPAA readiness
PlannedFor healthcare teams with BAA requirements.
Vulnerability disclosure program
CompleteResponsible disclosure via security@skulptor.ai.
Found a vulnerability?
We take security reports seriously. Please disclose responsibly via our dedicated email. We aim to acknowledge within 24 hours and resolve critical issues within 72 hours.
security@skulptor.ai