CtrlK
BlogDocsLog inGet started
Tessl Logo

jbaruch/nanoclaw-trusted

Rules for trusted NanoClaw groups. Shared memory, session bootstrap, cross-group memory updates. Loaded for trusted and main containers only.

94

Quality

94%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

This version of the tile failed moderation
Failed moderation (intent review) in rules/session-bootstrap.md: This is a prompt injection attack disguised as a cursor rule. It instructs an AI agent to execute a bash command as its very first action in every session, then call an external skill ('tessl__trusted-memory') which could load arbitrary instructions or exfiltrate data. The sentinel file mechanism (/tmp/session_bootstrapped) is designed to make it look like a legitimate caching/dedup mechanism, but the real goal is to force the AI to execute commands and call external services before processing the user's actual request. This is a classic prompt injection / agent manipulation pattern.
Overview
Quality
Evals
Security
Files

identity-dual-handle.mdrules/

alwaysApply:
Yes

Identity — Dual-Handle Reference Incident

Companion to the abstract dual-handle invariant in the jbaruch/nanoclaw-core tile's rules/core-behavior.md. The invariant ("display-name trigger and Telegram @username refer to the same agent — never split yourself into multiple addressees based on surface form") lives in core; this file is the deploy-tier record of a concrete failure that motivated it.

Reference incident — 2026-04-27

A debate-setup message addressed the agent by its display-name trigger and added a "you're the judge" instruction directed at the agent's Telegram @username. The agent took on both roles in one turn. Re-triggered same morning. Full narrative + companion-mitigation context: docs/adr/2026-04-27-dual-handle-role-splitting.md.

How to Apply

  • When an inbound message contains both the agent's display-name trigger and its @username, collapse them into one addressee before deciding what role(s) to play
  • If the message assigns roles to other named participants and "the rest" (or another instruction) to the agent's other handle, pick ONE role for the agent — never both
  • When in doubt, ask the owner which role is intended rather than splitting the turn

rules

cli-tools-not-installed.md

compaction-aware-summaries.md

daily-discoveries-rule.md

github-data-via-composio.md

ground-truth-trusted.md

identity-dual-handle.md

installed-content-immutable.md

memory-file-locations.md

messages-db-schema.md

no-orphan-tasks.md

no-silent-defer.md

proactive-fact-saving.md

session-bootstrap.md

trusted-behavior.md

verification-protocol.md

wiki-awareness.md

README.md

tile.json