Security

Town includes built-in security measures to protect your data and prevent misuse. These protections apply automatically.

Blocked tool combinations

Certain tool combinations are restricted to prevent security risks.

The “lethal trifecta”

Town blocks workflows in autonomous mode that combine all three of:

1. Access to private data — Tools that can read sensitive information (emails, calendar)
2. Exposure to untrusted content — Triggers that receive external input (incoming emails)
3. External communication — Tools that can send data outside (run_code, Slack, GitHub writes)

When all three are present, external communication tools are automatically disabled.

Why? This prevents a malicious email from instructing your assistant to exfiltrate data. Even if an attacker crafts a clever prompt injection in an email, the workflow can’t send data externally.

Affected tools

Tools marked as “external communication” include:

• run_code — Can execute arbitrary code
• slack_dm_user — Sends Slack messages
• github_create_or_update_file — Creates commits
• github_create_pull_request — Opens PRs
• update_sheet_data — Updates Google Sheets
• update_doc — Updates Google Docs
• create_calendar_event — Creates events with attendees

Affected triggers

Triggers marked as “untrusted input” include:

• incoming_email — Emails from external senders

What to do

If you need a workflow that combines these capabilities:

• Use approval-required mode instead of autonomous
• Review actions before they execute
• Or split into multiple workflows with narrower scope

Prompt sanitization

Town analyzes workflow prompts for potentially dangerous patterns.

Blocked patterns

These patterns are blocked entirely:

• Instruction override — “ignore all previous instructions”
• System manipulation — Attempts to modify system prompts
• Role manipulation — “you are now in developer mode”
• Delimiter escapes — Attempts to break out of prompt structure
• Privilege escalation — “enable admin mode”
• Data exfiltration — “forward all emails to…”

If a prompt contains blocked patterns, the workflow cannot be saved.

Suspicious patterns

These patterns are logged but not blocked:

• Code execution keywords
• Template injection syntax
• Bypass attempts

These may indicate a prompt injection attempt and are monitored.

Output validation

When workflows attempt actions, outputs are validated:

Email validation

• Recipient limits — Maximum 50 recipients per email
• Blocked patterns — Known malicious email patterns are blocked
• Domain validation — Optional allowlists for approved domains
• Self-send allowed — send_email_to_user always allowed (sends to you)

Account validation

• Account isolation — Workflows can only access accounts you’ve connected
• Account ID verification — Account references are validated before use

Action logging

Every action is logged with:

• What action was taken
• When it occurred
• What triggered it
• The workflow’s reasoning
• The result

This provides:

• Auditability — Review what happened
• Debugging — Understand why something happened
• Accountability — Track all modifications

Account access control

• Workflows can only access accounts you’ve explicitly connected
• Each account requires OAuth authorization
• You can revoke access anytime
• Tokens are stored securely and refreshed automatically

What you can do

Review run logs

Regularly check what your workflows are doing:

1. Go to Workflows
2. Click a workflow
3. View Runs to see history

Use approval-required mode

For sensitive workflows, require approval for write actions. This adds a human check before any modification.

Limit tool access

Only enable tools a workflow needs. Fewer tools = smaller attack surface.

Test before deploying

Use dry runs to verify behavior before enabling in production.

Reporting issues

If you discover a security issue or unexpected behavior:

• Check run logs for details
• Disable the workflow if needed
• Contact support with details