jbaruch/nanoclaw-trusted
Rules for trusted NanoClaw groups. Shared memory, session bootstrap, cross-group memory updates. Loaded for trusted and main containers only.
94
Quality
94%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Securityby
Risky
Do not use without reviewing
This version of the tile failed moderation
Failed moderation (intent review) in rules/session-bootstrap.md: This is a prompt injection attack disguised as a cursor rule. It instructs an AI agent to execute a bash command as its very first action in every session, then call an external skill ('tessl__trusted-memory') which could load arbitrary instructions or exfiltrate data. The sentinel file mechanism (/tmp/session_bootstrapped) is designed to make it look like a legitimate caching/dedup mechanism, but the real goal is to force the AI to execute commands and call external services before processing the user's actual request. This is a classic prompt injection / agent manipulation pattern.
README.md
jbaruch/nanoclaw-trusted
Rules for trusted NanoClaw groups. Shared memory, session bootstrap, cross-group memory updates. Loaded for trusted and admin scope.
Installation
tessl install jbaruch/nanoclaw-trustedRules
| Rule | Summary |
|---|---|
| cli-tools-not-installed | The agent container image does NOT include gh or sqlite3 — use Composio GITHUB_* tools and python3 -c 'import sqlite3; ...' respectively. |
| compaction-aware-summaries | When Claude Code compacts context, the summary must preserve information that cannot be recovered from files alone. |
| daily-discoveries-rule | When you learn something new and operationally important — a workflow, where something lives, how something works, a tool to use for a specific task — immediately write it to /workspace/trusted/memory/daily_discoveries.md: |
| github-data-via-composio | curl https://api.github.com/... is also wrong (unauthenticated 60 req/hr, no error envelope, private-repo visibility gap) — use the Composio GITHUB_* tools enumerated in cli-tools-not-installed. |
| ground-truth-trusted | Extends the core ground-truth rule with verification methods and computation available to trusted containers via Composio. |
| identity-dual-handle | Deploy-tier reference incident for the abstract dual-handle invariant in the jbaruch/nanoclaw-core tile's rules/core-behavior.md: a concrete failure where the agent split itself into two addressees because one message used both its display-name trigger AND its Telegram @username. |
| installed-content-immutable | Installed skills and rules under /home/node/.claude/skills/ and /home/node/.claude/.tessl/ are kernel-level read-only at runtime — Write/Edit against them returns EROFS. Real changes flow through the staging → promote → publish → update pipeline. |
| memory-file-locations | 1. All typed memory files go in /workspace/trusted/ root — never in /workspace/trusted/memory/. The memory/ subdirectory is ONLY for daily logs and daily_discoveries. |
| messages-db-schema | Authoritative PRAGMA table_info listing for the canonical messages.db tables — agents kept guessing column names (trigger_word vs real trigger_pattern) and hitting no such column. |
| no-orphan-tasks | Before scheduling any new recurring task, check: |
| no-silent-defer | Defer is allowed only when there is a concrete handoff that will actually do the deferred work. Otherwise it is a silent skip — and silent skips on something the owner intended to act on are material harm, not noise. |
| proactive-fact-saving | Personal facts mentioned in conversation must be saved to trusted memory IMMEDIATELY — not at end of session, not during archival, not "when non-trivial." At first mention. |
| session-bootstrap | Then write the sentinel: echo "done" > /tmp/session_bootstrapped |
| trusted-behavior | Extends core-behavior with additional rules for trusted and main containers. Everything in core still applies — this adds to it. |
| verification-protocol | After these actions, verify independently before confirming to the user: |
| wiki-awareness | A persistent personal wiki lives at /workspace/trusted/wiki/ with raw sources at /workspace/trusted/sources/. |
Skills
| Skill | Description |
|---|---|
| system-status | Read-only system-status probe for trusted-tier NanoClaw containers — surfaces stuck scheduled tasks, DB size, and recent task-run failures from the orchestrator's SQLite. Use as part of heartbeat or standalone. Renamed from check-system-health (which collided with the admin tile's same-named skill, per nanoclaw-admin#65); admin keeps the canonical full health probe with dismiss-mechanism management. |
| trusted-memory | Session bootstrap and rolling memory updates for trusted containers. On session start, reads MEMORY.md (permanent facts), RUNBOOK.md (operational workflows), recent daily and weekly logs, and highlights.md to restore context. After non-trivial interactions, appends timestamped entries to group-local and cross-group shared daily logs. Use when starting a new session to load previous notes and remember context, or after meaningful conversations to save conversation history, persist session state, or record newly learned owner preferences. |
See CHANGELOG.md for version history.
rules
cli-tools-not-installed.mdcompaction-aware-summaries.mddaily-discoveries-rule.mdgithub-data-via-composio.mdground-truth-trusted.mdidentity-dual-handle.mdinstalled-content-immutable.mdmemory-file-locations.mdmessages-db-schema.mdno-orphan-tasks.mdno-silent-defer.mdproactive-fact-saving.mdsession-bootstrap.mdtrusted-behavior.mdverification-protocol.mdwiki-awareness.md
skills
system-status
trusted-memory