Author: BitsLab, AI Security Company

When an AI Agent possesses system-level capabilities such as shell execution, file read and write, network requests, and scheduled tasks, it is no longer just a "chatbot" — it is an operator with real permissions. This means that a command induced by prompt injection could potentially delete critical data; a Skill poisoned by the supply chain might quietly leak credentials; an unverified business operation could lead to irreversible losses.

Traditional security solutions usually fall into two extremes: either completely relying on the AI's own "judgment" for self-regulation (easily bypassed by carefully constructed prompts), or piling up rigid rules that lock the Agent down (losing the core value of the Agent).

This in-depth guide from BitsLab chooses a third path: dividing security responsibilities according to "who checks," allowing three types of roles to maintain their positions.

- Regular Users: As the final line of defense, responsible for key decisions and regular reviews. We provide precautions to reduce cognitive load.

- The Agent itself: Consciously adheres to behavior norms and audit processes during operation. We provide Skills to inject security knowledge into the Agent's context.

- Deterministic Scripts: Execute checks mechanically and faithfully, unaffected by prompt injections. We provide Scripts that cover common known dangerous patterns.

No single checker is omnipotent. Scripts cannot understand semantics, the Agent may be deceived, and humans can become fatigued. But the combination of the three ensures both the convenience of everyday use and the prevention of high-risk operations.

Regular Users (Precautions)

Users are the final line of defense and the highest authority in the security system. Below are security matters that users need to pay personal attention to and execute.

a) API Key Management

- Configuration files must be set with proper permissions to prevent others from viewing them at will:

- Never submit the API key to the code repository!

b) Channel Access Control (Very Important!)

- Be sure to set a whitelist (`allowFrom`) for each communication channel, otherwise anyone can chat with your Agent:

⚠️ In the new version, an empty `allowFrom` means denying all access. If you want to open it, you must explicitly write `["*"]`, but this is not recommended.

c) Do not run with root permissions

- It is recommended to create a dedicated user to run the Agent to avoid excessive permissions:

d) Avoid using email channels

- Email protocols are complex and relatively risky. Our BitsLab team has researched and confirmed a [critical] level vulnerability related to email. Below is the project party's response. We currently still have some questions pending confirmation from the project party, so use email-related functional modules with caution.

e) It is recommended to deploy in Docker

- It is advisable to deploy the nanobot in a Docker container, isolating it from the daily usage environment to prevent security risks caused by mixed permissions or environments.

Tool Installation Steps

Tool Principles

SKILL.md

Based on cognitive awakening, intent review breaks through the traditional AI's blind spot of passively receiving commands. It includes a compulsory “Self-Wakeup” thinking chain mechanism that requires the AI to first awaken an independent security review persona in the background before processing any user request. By conducting contextual analysis and independent judgment on user intents, it proactively identifies and intercepts potential high-risk threats, achieving an upgrade from "mechanical execution" to "intelligent firewall." When malicious commands (such as reverse shells, sensitive file theft, large-scale deletions, etc.) are detected, the tool will execute a standardized hard interception protocol (outputting `[Bitslab nanobot-sec skills detected sensitive operation..., intercepted]` warning).

Malicious Command Execution Interception (Shell & Cron Protection)

Acts as a "zero trust" gateway during Agent operations involving system-level commands. The frontline directly blocks various destructive actions and hazardous payloads (such as `rm -rf` for malicious deletion, permission tampering, reverse shells, etc.). At the same time, the tool includes in-depth runtime inspection capabilities that can proactively scan and clean persistent backdoors and malicious execution characteristics in system processes and Cron scheduled tasks, ensuring absolute safety of the local environment.

Sensitive Data Theft Interception (File Access Verification)

Implements strict physical isolation for core assets. The system has preset rigorous file verification rules, prohibiting the AI from unauthorized reading of sensitive files like `config.json`, `.env` that contain API keys and core configurations and sending them out. Additionally, the security engine will audit file read logs in real-time (such as the call sequences of the `read_file` tool), effectively cutting off the possibility of credential leaks and data exfiltration from the source.

MCP Skill Security Audit

For MCP type skills, the tool automatically audits their context interactions and data processing logic for risks such as sensitive information leakage, unauthorized access, and dangerous command injections, and compares them with security baselines and whitelists.

New Skill Download and Automatic Security Scanning

When downloading new skills, the tool will automatically perform static code analysis with audit scripts, compare security baselines and whitelists, and check for sensitive information and dangerous commands, ensuring that skills are loaded only after they are confirmed safe and compliant.

Tamper-Proof Hash Baseline Verification

To ensure absolute zero trust of core system assets, the protection shield will continuously establish and maintain SHA256 encrypted signature baselines for critical configuration files and memory nodes. The nighttime inspection engine will automatically verify the temporal changes in every file hash, capable of capturing any unauthorized tampering or out-of-bounds overwriting in milliseconds, completely cutting off local backdoor implantation and "poisoning" risks from the physical storage layer.

Automated Disaster Recovery Backup Snapshot Rotation

Given that the local Agent has extremely high read and write permissions on the file system, the system has built-in the highest level of automated disaster recovery mechanism. The protection engine will automatically trigger a full sandbox-level archive of the active working area every night, generating a security snapshot mechanism with a maximum retention of 7 days (automatically rotating). Even in the event of unexpected damage or accidental deletion under extreme circumstances, it can achieve lossless one-click rollback of the development environment, maximizing the continuity and resilience of local digital assets.

Disclaimer

This guide serves only as a reference for security practices and does not constitute any form of security guarantee.

1. No Absolute Security: All measures described in this guide (including deterministic scripts, Agent Skills, and user precautions) are "best effort" protections that cannot cover all attack vectors. AI Agent security is a rapidly evolving field, and new attack methods may appear at any time.

2. User Responsibility: Users deploying and using Nanobot should assess the security risks of their operating environment on their own and adjust the recommendations in this guide based on practical scenarios. Any losses resulting from incorrect configuration, failure to update in a timely manner, or ignoring security warnings are the responsibility of the user.

3. Not a Substitute for Professional Security Audits: This guide cannot replace professional security audits, penetration testing, or compliance assessments. For scenarios involving sensitive data, financial assets, or critical infrastructure, it is strongly recommended to hire a professional security team for independent assessments.

4. Third-Party Dependencies: The security of third-party libraries, API services, and platforms (such as Telegram, WhatsApp, LLM providers, etc.) relied upon by Nanobot is beyond the control of this guide. Users should pay attention to the security announcements of related dependencies and update them promptly.

5. Scope of Disclaimer: The maintainers and contributors of the Nanobot project are not liable for any direct, indirect, incidental, or consequential damages arising from the use of this guide or Nanobot software.

Using this software indicates that you understand and accept the above risks.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。