Security & Responsible Use
Authorised security work, content safety, and safe import and export practices.
WorkCheats is designed for authorised security work — labs, defensive validation, incident response, and professional technical operations conducted with proper permission.
Using WorkCheats responsibly protects you, your organisation, and the people whose systems you test.
Authorised security work only
WorkCheats must only be used for:
- Engagements and environments where you have explicit authorisation
- Defensive operations, SOC/DFIR workflows, and training labs with clear scope
- Professional productivity — not unauthorised access, credential theft, or evasion
You are responsible for scope, rules of engagement, and compliance with applicable law and policy.
Commands and scripts are content
Commands, scripts, snippets, workflow steps, and notes in WorkCheats are content artifacts:
- WorkCheats stores and displays them
- WorkCheats does not execute them on your targets or in your shell
- You choose when and where to copy or run content in environments you control
This applies to the web app and the wcheats CLI.
User content is untrusted
Treat all user-entered and imported content as untrusted until reviewed:
- Commands and notes from teammates
- Packages uploaded through Import & Export
- Notes, outputs, and attachments pasted into Sessions
- Template and report bodies, fields, evidence notes, and exports — see Templates lifecycle and Reports lifecycle
- Session and workspace variable values you or others enter
- Content installed from Marketplace — curated, but still review before live use
WorkCheats stores and renders this content as text. It does not execute commands, scripts, or workflow steps on your behalf. It does not guarantee safety, correctness, or scope fit.
Secrets and sensitive values
- Do not store passwords, API keys, tokens, or private keys in commands, variables, notes, templates, report bodies, fields, evidence, or package JSON unless your organisation explicitly allows it.
- WorkCheats is not a secrets manager or vault.
- Variable masking in the web app is a UI safety aid — not encryption and not a permission boundary. Workspace members with access may still view workspace variable values.
- Session passphrases add an access layer before opening a protected session — they do not encrypt session content. See Protected sessions.
- Redact sensitive values in notes and outputs when sharing exports or team workspaces.
- Use external secret stores for credentials.
See Variables for workspace vs session variables and masking guidance.
Safe import and export
Import (uploaded packages — always untrusted):
- Use Import Center only for JSON you are willing to review — not as a Marketplace publish path.
- Validate, preview, map taxonomy, and resolve duplicates before confirming writes.
- Reject packages from unknown sources or packages with forbidden billing, entitlement, trust, or secret fields.
- Treat commands, scripts, and workflow steps as content artifacts — WorkCheats does not execute them during import.
See Import & Export for the Package v1 flow and forbidden metadata rules.
Export:
- Export only content you are permitted to share.
- Protect exported files — they may contain operational details.
- Follow your organisation's data classification rules.
- Marketplace-installed, starter, and system content is often export-blocked by provenance — editing does not automatically restore export rights.
- Export entitlement and item export policy are separate checks during closed beta.
See Export policy for the provenance matrix.
Marketplace install uses a different trust model — server-side copy from published listings, not uploaded JSON. See Marketplace.
Account and workspace boundaries
- Personal workspace content belongs to your account — other users cannot access it unless shared through team mechanisms you control.
- Team workspace content is visible to team members with access — assume teammates can read what you store there.
- Switch workspaces deliberately before importing or editing sensitive content.
Sign out on shared machines. Enable MFA when available.
Feedback and support safety
When you use the in-app BETA | Feedback widget or email support, treat title, message, and screenshot attachments as user-provided content:
- Do not include passwords, MFA codes, API keys, tokens, session cookies, private keys, or service credentials.
- WorkCheats support does not need private keys, service credentials, or recovery codes to help with product issues.
- Redact or crop screenshots that might show client data, command output, notes, or reports before attaching.
- Follow the same authorised-use rules as the rest of the product — do not share exploit details or unauthorised target information in public feedback channels.
See Feedback & support for the bug-report checklist and contact fallback.
Variables, sessions, and logging
- Workspace variables are visible to workspace members with access — masking does not hide values from authorised members.
- Session variables apply to one workflow run and do not change workspace rows.
- WorkCheats avoids logging variable values in routine service diagnostics; operational logs use safe metadata only. This does not replace careful handling of secrets in the UI.
Current
- Text-only rendering of user content (no script execution in app or CLI)
- Import validation and confirmation gates for uploaded packages
- Separate Marketplace install path from user uploads
- Workspace-scoped access in personal and team accounts
- UI masking for sensitive variable names; optional protected session passphrase layer
Roadmap
Security posture may expand with future features (CLI output capture, automated report assembly). Roadmap capabilities are not available yet — review Templates & Reports and wcheats CLI for labelled roadmap items only.
For operational help, see Troubleshooting and Feedback & support.

