Overview
Two related issues in the omi-agent VM lifecycle:
- Security — Agent VMs are assigned public internet-facing IPs, exposing port
8080 to the entire internet.
- Cost — Stopped VMs continue to incur persistent disk charges indefinitely; idle auto-stop is not sufficient.
Issue 1: Public IP Security Exposure
Root Cause
In desktop/Backend-Rust/src/routes/agent.rs, every agent VM is created with a public NAT IP:
"networkInterfaces": [{
"network": "global/networks/default",
"accessConfigs": [{
"type": "ONE_TO_ONE_NAT", // assigns a public internet IP
"name": "External NAT"
}]
}]Both the Rust backend and the Python agent-proxy read this external IP from Firestore and connect over the public internet:
# backend/agent-proxy/main.py
vm_uri = f"ws://{vm_ip}:8080/ws?token={vm_token}"
await client.get(f"http://{vm_ip}:8080/health")
await client.post(f"http://{vm_ip}:8080/ping?token=...")Port 8080 on every agent VM is reachable from the entire internet. The only protection is a bearer token in the WebSocket query string — no network-level isolation exists.
Impact
- Any actor who discovers or guesses a VM IP can probe port
8080 directly.
- The
omi-agent-vm firewall tag likely permits broad ingress today.
- If the agent service has any vulnerability, it is directly exploitable with no network barrier.
Issue 2: Stopped VM Storage Cost Leak
Root Cause
When a VM goes idle (~30 min without a keepalive ping), the VM shuts down and the GCE instance transitions to STOPPED. However, the 50 GB pd-balanced boot disk is retained because the instance still exists.
The autoDelete: true flag only deletes the disk when the instance is deleted — stopping the instance does not delete the disk.
// desktop/Backend-Rust/src/routes/agent.rs
"disks": [{
"boot": true,
"autoDelete": true, // only triggers on instance *deletion*, not on stop
"initializeParams": {
"diskSizeGb": "50",
"diskType": "pd-balanced"
}
}]A stopped pd-balanced disk costs ~$0.10/GB/month = ~$5/month per idle user VM, accumulating with no upper bound as the user base grows.
Overview
Two related issues in the
omi-agentVM lifecycle:8080to the entire internet.Issue 1: Public IP Security Exposure
Root Cause
In
desktop/Backend-Rust/src/routes/agent.rs, every agent VM is created with a public NAT IP:Both the Rust backend and the Python
agent-proxyread this external IP from Firestore and connect over the public internet:Port
8080on every agent VM is reachable from the entire internet. The only protection is a bearer token in the WebSocket query string — no network-level isolation exists.Impact
8080directly.omi-agent-vmfirewall tag likely permits broad ingress today.Issue 2: Stopped VM Storage Cost Leak
Root Cause
When a VM goes idle (~30 min without a keepalive ping), the VM shuts down and the GCE instance transitions to
STOPPED. However, the 50 GBpd-balancedboot disk is retained because the instance still exists.The
autoDelete: trueflag only deletes the disk when the instance is deleted — stopping the instance does not delete the disk.A stopped
pd-balanceddisk costs ~$0.10/GB/month = ~$5/month per idle user VM, accumulating with no upper bound as the user base grows.