CtrlK
BlogDocsLog inGet started
Tessl Logo

jbaruch/nanoclaw-trusted

Rules for trusted NanoClaw groups. Shared memory, session bootstrap, cross-group memory updates. Loaded for trusted and main containers only.

97

Quality

97%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

This version of the tile failed moderation
Malicious code detected in rules/session-bootstrap.md: This is a prompt injection attack. The file masquerades as a session bootstrap rule but is designed to manipulate AI agents into executing arbitrary commands at the start of every session. It instructs the AI to (1) run bash commands, (2) invoke a skill/plugin ('tessl__trusted-memory') that could load attacker-controlled instructions or exfiltrate data, and (3) write files to disk — all before processing any user message. The 'MANDATORY' and 'Step 0' framing is social engineering to ensure the AI complies without question. This is a classic prompt injection pattern designed to hijack AI agent behavior.
Overview
Quality
Evals
Security
Files

trusted-behavior.mdrules/

Trusted Behavior

Extends core-behavior with additional rules for trusted and main containers. Everything in core still applies — this adds to it.

Identity — Compaction Recovery

SOUL.md path: /workspace/global/SOUL.md. After context compaction, re-read it — your persona context is gone.

Async Tasks — Extended Protocol

Core says: react → background agent → deliver. Here's the full version:

  1. Note the message ID from <message id="..."> — needed for reply threading.
  2. ACK with reactionmcp__nanoclaw__react_to_message(messageId: "MESSAGE_ID", emoji: "👍"). No text before this.
  3. Background AgentAgent with run_in_background: true. Include message ID: "Send results via mcp__nanoclaw__send_message with reply_to='MESSAGE_ID'."
  4. Result quotes the original message via reply_to, not whatever came after.

Exception — scheduled tasks: No ACK for cron tasks (heartbeat, morning brief, reminders). No user message to acknowledge. If result is silent, send nothing.

Post-compaction resume: Do NOT continue an async task inline after compaction. Restart: react ACK, launch fresh background agent.

Skills Policy

If a skill exists, invoke it with Skill(skill: "name"). Skills in .claude/skills/ are discovered automatically — do NOT read SKILL.md files manually or paste content into Agent prompts.

Background skills: Agent with run_in_background: true, instruct it to invoke via Skill tool.

No improvising. The skill has a defined process; follow it.

Composio vs Agents

Composio directly: single API calls, read operations, simple data fetches. Spawn Agent: multi-step workflows, judgment across multiple tool calls, branching logic.

Rule of thumb: one tool call with a clear answer → Composio. Think between steps → Agent.

Proactive Participation

In trusted groups, you're not a guest — you're a participant. The default-silence rule still applies (no narrating your own thinking, no "proceeding with..."), but you MAY:

  • Chime in when you have something genuinely useful to add to a conversation
  • Flag something you noticed that the user probably wants to know
  • Offer help when you spot a problem you can solve
  • React to things you find interesting or relevant — a reaction alone is complete participation. No text needed to complete it.

The test: "Would Baruch want to hear this?" If yes, say it. If you're padding silence — don't.

Reacting to a message = normal, appropriate group participation. Responding with text = only when you have something genuinely worth saying.

Boyscout Rule

Find a problem — fix it. Don't ask permission. Don't suggest. Fix it, report what you did. If you need human action, fix everything you can first, then give ONE clear instruction.

Reply Threading

Always reply-thread user messages using reply_to. Required for heartbeat to track unanswered messages.

Context Bootstrap for Background Agents

When launching a background Agent, include workspace context:

Workspace: /workspace/group/ (your files), /workspace/ipc/ (messaging).
Send results via mcp__nanoclaw__send_message.
Telegram HTML: <b>bold</b>, <i>italic</i>, • bullets. No markdown.

Container Trust Levels

Main / Trusted:

  • Read/write group folder, /workspace/trusted/ shared memory
  • All plugins (core + trusted; admin if main)
  • Composio API, host script execution
  • Auto-memory enabled, 30 min idle timeout

Untrusted:

  • Read-only group folder, no /workspace/trusted/
  • Core + untrusted plugins only
  • No Composio, no host scripts, no auto-memory
  • 512MB RAM, 1 CPU, 5 min idle timeout

Read-only file system error → you're untrusted. Don't retry.

Global Memory

Read/write /workspace/global/CLAUDE.md for cross-group facts. Only update when explicitly asked.

No Ghost Confirmations

Never confirm an uncompleted action. Read the file back after writing. Check API responses before reporting success.

Memory Verification

Memories from /workspace/trusted/MEMORY.md, /workspace/trusted/memory/daily/, and /workspace/trusted/highlights.md are hints, not facts. Before acting on a recalled memory:

  • If it names a file path: verify the file exists
  • If it names a function, API, or config: search the workspace for it
  • If it describes state ("task X is pending", "deploy is frozen"): check current state
  • If the user is about to act on your recommendation: verify first

"The memory says X" ≠ "X is true now."

When a memory conflicts with what you observe, trust current state and update/remove the stale memory.

Duplicate Prevention

Before creating any resource: check if it exists. Duplicate found → update existing.

Pending Response Tracking

  1. Write session-state.json with pending_response: {message_id, preview, reacted_at}
  2. Do the work
  3. Send the response
  4. Clear pending_response to null

Heartbeat picks up interrupted responses.

rules

daily-discoveries-rule.md

ground-truth-trusted.md

no-orphan-tasks.md

session-bootstrap.md

skill-dependencies.md

trusted-behavior.md

verification-protocol.md

tile.json