Goal: the agent has no unfiltered egress and never holds a raw credential — every outbound request routes through a vault that injects scoped short-lived tokens on the wire.
A common breakdown of agent risk lists six categories: (1) prompt injection, (2) dangerous packages, (3) sensitive file access, (4) proprietary data exfiltration, (5) unauthorized privileged actions, and (6) viruses. Simon Willison condenses these into the lethal trifecta: (a) access to private data, (b) exposure to untrusted content, and (c) ability to communicate externally — any two together are dangerous.
This project addresses (c) aggressively and uses that to bound the others:
| Risk | How |
|---|---|
| Data exfiltration (risk 4, trifecta a+c) | No direct internet. All egress through Squid (default-deny allowlist) + OneCLI MITM proxy. Agent can't phone home. |
| Credential theft via injection (risk 1, trifecta b→a) | Agent has no stored secrets. OneCLI injects per-request, scoped tokens at the proxy layer. An injected prompt can ask for credentials but nothing will hand them over. |
| Privileged action without consent (risk 5) | OneCLI acts as consent proxy — each SaaS action requires a scoped token generated by the vault, not by the agent. |
| Viruses / persistence (risk 6) | Containers are ephemeral. No host socket mount. Sandbox tier runs inside a contained DinD with no network. |
| Risk | Why |
|---|---|
| Prompt injection → tool misuse (risk 1 continued) | An injected prompt can still trick the agent into using its legitimate tools in unintended ways (e.g. "send that email"). Vault model doesn't prevent tool-level misuse. |
| Dangerous packages / supply chain (risk 2) | No SBOM validation. The commands allowlist on identity tiers helps but assumes the allowlist is correct. |
| Sensitive file access (risk 3) | Workspace volumes are shared by design. No per-file ACL. Mitigated only by isolation: identity tiers have no shell, and the sandbox tier has no credentials. |
| Covert channel via legitimate egress | If an allowlisted domain is malicious or compromised, data can flow out through it. No egress content inspection. |
The unrestricted tier is a deliberate gap: it has shell/file/browser tools and DinD sandbox with Squid egress. It has no SaaS credentials, so the trifecta never completes — but if you add credentials to it, treat it as a separate risk surface.
Back to the README.