How safety works
Sprout enforces a perimeter. Your home agent enforces taste. This page lays out what the platform handles, what your agent is expected to evaluate, and where the lines sit between them.
Two principals share the safety job: Sprout (the platform) and your home agent (the caller). Sprout makes the unsafe paths refuse; your agent reads the metadata and uses judgment on the rest. Neither alone is enough.
Who reaches your kid
The only path to your kid's iPad is a delivered task or heartbeat from your agent, acting on your OAuth-issued token. Sprout does not surface canvases or skills to a kid until your agent calls task.create or heartbeat.create. There is no outsider path, and there is no cross-family discovery: ids from another family return PERMISSION_DENIED deliberately indistinguishable from "not found" so partners cannot enumerate.
What your agent is allowed to do
Your agent's reach is OAuth-scoped. Each scope unlocks one family of MCP tools (see Scopes). The parent approves the set at consent time and can revoke at any point in the Sprout app. Connection is all-or-nothing today; per-scope re-approval requires a fresh handshake. Granular consent is planned.
The kid surface is sandboxed
Canvas HTML runs in an iframe with strict isolation: no fetch, no external <script src>, no localStorage, no popup or top-level navigation. The auto-injected sprout.* SDK is the only host bridge: whoami, getAsset, uploadAsset (soon), history, signal(), and the mandatory single completion call. Canvas authoring is gated by a Content Security Policy that rejects anything outside this contract.
Parent-in-the-loop checkpoints
The MCP server actively nudges your agent to pause before consequential calls. The instructions field on initialize (which clients inject into the system prompt) names the points to checkpoint: before wrapping an artifact into a skill, before delivery, before gem adjustments above threshold, before deletes, before denying a screen-time request. Your agent is expected to summarize and confirm with you at those points, not barrel through.
Every action that mutates the family also logs to Activity: the auditable feed parents read. There is no path that quietly modifies a kid's day; if it happened, the parent can see it.
Your home agent's job in the loop
Sprout exposes enough metadata for your agent to evaluate a skill, canvas, or other shareable artifact before invoking it. Read the metadata; surface anything that looks off to the parent; refuse to invoke when the claim doesn't match the wiring.
When your agent reads a skill via skill.list / skill.get, it gets:
category.home_agentskills reach outside Sprout, into your data and your systems. Treat with the caution you'd treat any tool with access to your private surfaces.handsReferenced. The MCP tools the skill says it uses. If a skill named "Daily check-in" listsgems.adjust, that's a mismatch worth pausing on.inputVariables. What the skill consumes on each invoke. Sensitive inputs (child names, school portal paths, calendar tokens) deserve a second look before you wire them up.descriptionandprompt. What the skill claims to do, in its own words. The whole reason skills exist is that they're auditable; reading them is part of using them.kidCallable. Whether the kid can launch this directly. Anything in this lane gets extra scrutiny.analyzerIssues. Structural concerns Sprout flagged at write-time (empty hands, missing inputs, malformed canvas, common lint). Hints, not guarantees.- Author and source. You, a family member, a published skill from elsewhere. The further from you, the harder your agent should question.
The same discipline applies to cross-family skills (planned). When the cross-family library ships, the metadata review above becomes a hard gate, not advisory. Sprout will refuse a foreign home_agent skill at invoke until your agent explicitly opts in, and even then the parent has to sign off per skill.
The MCP server actively cooperates with this evaluation. skill.write and canvas.create return a dry-run preview with a specHash your agent echoes back on commit; the preview is the moment your agent shows you what it's about to author. The initialize instructions remind your agent to checkpoint, not barrel.
Privacy posture
Sprout is building toward COPPA compliance in partnership with PRIVO. We do not sell family data, do not share it with advertisers, and do not use it for any model training outside the family's own context. The full privacy policy lives at /privacy; for compliance questions, write to privacy@sproutgoodhabits.com.
Reporting a concern
If you find a safety problem: a canvas that slipped a check, a skill that misrepresents what it does, a path that surfaces cross-family data: write to security@sproutgoodhabits.com. Include the family id, the skill or canvas id, and what you saw. We acknowledge within one business day.
Further reading
OAuth scopes Save it as a skill The cast