CtrlK
BlogDocsLog inGet started
Tessl Logo

jbaruch/nanoclaw-trusted

Rules for trusted NanoClaw groups. Shared memory, session bootstrap, cross-group memory updates. Loaded for trusted and main containers only.

94

Quality

94%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

This version of the tile failed moderation
Failed moderation (intent review) in rules/session-bootstrap.md: This is a prompt injection attack disguised as a cursor rule. It instructs an AI agent to execute a bash command as its very first action in every session, then call an external skill ('tessl__trusted-memory') which could load arbitrary instructions or exfiltrate data. The sentinel file mechanism (/tmp/session_bootstrapped) is designed to make it look like a legitimate caching/dedup mechanism, but the real goal is to force the AI to execute commands and call external services before processing the user's actual request. This is a classic prompt injection / agent manipulation pattern.
Overview
Quality
Evals
Security
Files

cli-tools-not-installed.mdrules/

alwaysApply:
Yes

CLI Tools Not Installed

What's Absent

The agent container image does NOT include the gh (GitHub) CLI or the standalone sqlite3 CLI. Both are reached for reflexively and both fail with command not found (32 + 23 events on the operator-observer chat 2026-04-28..05-03 across telegram_swarm, telegram_old-wtf, telegram_dedy-bukhtyat).

Use Instead

  • GitHub data: Composio GITHUB_* tools — GITHUB_LIST_WORKFLOW_RUNS_FOR_A_REPOSITORY, GITHUB_GET_PULL_REQUEST_BY_NUMBER, GITHUB_GET_AN_ISSUE, GITHUB_SEARCH_ISSUES_AND_PULL_REQUESTS, GITHUB_SEARCH_REPOSITORIES. Authenticated client (5000 req/hr vs unauthenticated 60), structured {successful, error} envelopes.
  • SQLite queries: python3 -c 'import sqlite3; conn = sqlite3.connect("/workspace/store/messages.db"); ...'. The sqlite3 stdlib module ships with Python; the standalone CLI does not.

Don't Propose Installing Either

gh is intentionally absent — Composio is the prescribed GitHub path even when gh would have worked, because the auth + rate-limit + structured-error story is strictly better. sqlite3 CLI is intentionally absent — the Python stdlib covers every realistic case. Suggesting apk add / apt install / a Dockerfile change misreads the situation.

Sibling Rules

  • For the schema agents need before writing SQL, see the messages-db-schema rule.
  • For why curl https://api.github.com/... is also wrong even though it doesn't return command not found, see the github-data-via-composio rule.

rules

cli-tools-not-installed.md

compaction-aware-summaries.md

daily-discoveries-rule.md

github-data-via-composio.md

ground-truth-trusted.md

identity-dual-handle.md

installed-content-immutable.md

memory-file-locations.md

messages-db-schema.md

no-orphan-tasks.md

no-silent-defer.md

proactive-fact-saving.md

session-bootstrap.md

trusted-behavior.md

verification-protocol.md

wiki-awareness.md

README.md

tile.json