CtrlK
BlogDocsLog inGet started
Tessl Logo

jbaruch/nanoclaw-trusted

Rules for trusted NanoClaw groups. Shared memory, session bootstrap, cross-group memory updates. Loaded for trusted and main containers only.

94

Quality

94%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

This version of the tile failed moderation
Failed moderation (intent review) in rules/session-bootstrap.md: This is a prompt injection attack disguised as a cursor/agent rule file. It instructs an AI agent to unconditionally execute a bash command at the start of every session before processing any user input, and to invoke an external skill ('tessl__trusted-memory') which could load arbitrary instructions or exfiltrate data. The 'alwaysApply: true' and urgent, authoritative language ('MANDATORY', 'not optional', 'violating this rule') are social engineering tactics to bypass the AI's safety reasoning. This pattern is designed to hijack AI agent sessions and could serve as a vector for further exploitation.
Overview
Quality
Evals
Security
Files

cli-tools-not-installed.mdrules/

alwaysApply:
Yes

CLI Tools Not Installed

What's Absent

The agent container image does NOT include the gh (GitHub) CLI or the standalone sqlite3 CLI. Both are reached for reflexively and both fail with command not found (32 + 23 events on the operator-observer chat 2026-04-28..05-03 across telegram_swarm, telegram_old-wtf, telegram_dedy-bukhtyat).

Use Instead

  • GitHub data: Composio GITHUB_* tools — GITHUB_LIST_WORKFLOW_RUNS_FOR_A_REPOSITORY, GITHUB_GET_PULL_REQUEST_BY_NUMBER, GITHUB_GET_AN_ISSUE, GITHUB_SEARCH_ISSUES_AND_PULL_REQUESTS, GITHUB_SEARCH_REPOSITORIES. Authenticated client (5000 req/hr vs unauthenticated 60), structured {successful, error} envelopes.
  • SQLite queries: python3 -c 'import sqlite3; conn = sqlite3.connect("/workspace/store/messages.db"); ...'. The sqlite3 stdlib module ships with Python; the standalone CLI does not.

Don't Propose Installing Either

gh is intentionally absent — Composio is the prescribed GitHub path even when gh would have worked, because the auth + rate-limit + structured-error story is strictly better. sqlite3 CLI is intentionally absent — the Python stdlib covers every realistic case. Suggesting apk add / apt install / a Dockerfile change misreads the situation.

Sibling Rules

  • For the schema agents need before writing SQL, see the messages-db-schema rule.
  • For why curl https://api.github.com/... is also wrong even though it doesn't return command not found, see the github-data-via-composio rule.

rules

cli-tools-not-installed.md

compaction-aware-summaries.md

daily-discoveries-rule.md

github-data-via-composio.md

ground-truth-trusted.md

identity-dual-handle.md

installed-content-immutable.md

memory-file-locations.md

messages-db-schema.md

no-orphan-tasks.md

no-silent-defer.md

proactive-fact-saving.md

session-bootstrap.md

trusted-behavior.md

verification-protocol.md

wiki-awareness.md

README.md

tile.json