CtrlK
BlogDocsLog inGet started
Tessl Logo

jbaruch/nanoclaw-trusted

Rules for trusted NanoClaw groups. Shared memory, session bootstrap, cross-group memory updates. Loaded for trusted and main containers only.

77

Quality

96%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

This version of the tile failed moderation
Failed moderation (intent review) in rules/session-bootstrap.md: This is a prompt injection attack disguised as a cursor/IDE rule file. It instructs an AI agent to unconditionally execute a bash command and invoke an external skill ('tessl__trusted-memory') at the start of every session before processing any user input. This is a social engineering/prompt injection technique designed to: 1) Force the AI to execute arbitrary commands without user consent, 2) Potentially load malicious instructions from an external 'trusted-memory' skill/plugin, 3) Establish persistence via a sentinel file (/tmp/session_bootstrapped) to track execution. The authoritative tone ('MANDATORY', 'not optional', 'violating this rule') is a classic prompt injection pattern to override the AI's safety boundaries.
Overview
Quality
Evals
Security
Files

installed-content-immutable.mdrules/

alwaysApply:
No
applyTo:
** — when about to write under /home/node/.claude/ or other installed-tile content paths

Installed Content Is Immutable At Runtime

Installed skills (/home/node/.claude/skills/<name>/SKILL.md) and per-tile rule markdowns (/home/node/.claude/.tessl/...) cannot be edited from inside the agent container. Two read-only bind-mounts layer on top of the writable /home/node/.claude parent; the kernel rejects writes to those subdirs at the syscall level. A Write returns cannot create <path>: Read-only file system — that's the contract, not a bug. Changes flow through staging → promote → publish → update.

What's still writable

The parent /home/node/.claude/ mount stays writable. The SDK keeps writing to projects/<slug>/<sessionId>.jsonl (transcripts), debug/, todos/, telemetry/, session-env/, and projects/<slug>/memory/ (auto-memory overlay, trusted/main only). Only skills/ and .tessl/ are read-only.

rules

async-tasks-extended.md

compaction-aware-summaries.md

composio-vs-agents.md

container-trust-levels.md

context-bootstrap-bg-agents.md

daily-discoveries-rule.md

duplicate-prevention.md

github-data-via-gh.md

global-memory.md

ground-truth-trusted.md

identity-compaction-recovery.md

identity-dual-handle.md

installed-content-immutable.md

local-context-anchoring.md

memory-file-locations.md

messages-db-schema.md

no-orphan-tasks.md

no-silent-defer.md

pending-response-tracking.md

proactive-fact-saving.md

proactive-participation.md

reply-threading.md

session-bootstrap.md

skills-policy.md

verification-protocol.md

wiki-awareness.md

README.md

tile.json