Baton is instruction content, not an executable runtime. That makes its trust boundary smaller, but not zero: once installed, its guidance can influence how an AI agent delegates work.
Before installation, review:
SKILL.mdfor trigger conditions and invariants;- every file under
references/for operational guidance; agents/openai.yamlfor the invocation prompt;install/MANIFEST.mdfor the exact installed surface.
- Install a release tag or full commit SHA, not a moving
mainbranch. - Fetch the runbook and repository files from the same tag or SHA.
- Review the diff before updating.
- Do not pipe remote content directly into a shell.
- Treat an AI-generated installation plan as a summary, not a substitute for reviewing changed files.
Baton does not itself:
- spawn workers or workflows;
- modify files;
- initialize or sync CodeGraph;
- choose or change models;
- bypass platform permissions;
- override user, system, repository, or managed policies.
The active agent and platform remain responsible for authorization and execution. Baton explicitly requires a direct-execution fallback when delegation infrastructure is unavailable or unsafe.
Open a GitHub issue without secrets or private repository contents. For a sensitive report, contact the repository owner through an appropriate private channel before publishing exploit details.