Nanobot User Security Practices: Safeguarding the Last Line of Defense for AI Permissions

Author: BitsLab, AI Security Company

When an AI agent possesses system-level capabilities such as shell execution, file reading and writing, network requests, and scheduled tasks, it is no longer just a "chatbot"—it becomes an operator with real privileges. This means that: a command induced by prompt injection may delete critical data; a skill poisoned by the supply chain may quietly leak credentials; and an unverified business operation may cause irreversible losses.

Traditional security solutions typically go to two extremes: either relying entirely on the AI's own "judgment" to self-regulate (which is easily bypassed by carefully crafted prompts), or piling up a large number of rigid rules to lock the agent in (losing the agent's core value).

This in-depth product guide from BitsLab chooses a third approach: dividing security responsibilities according to "who performs the inspection," ensuring that each of the three roles fulfills its proper function.

- Regular users: As the last line of defense, responsible for critical decisions and regular reviews. We provide notes to reduce cognitive load.

- The Agent itself: Adheres to behavioral guidelines and auditing processes at runtime. We provide skills to inject security knowledge into the Agent context.

- Deterministic scripts: Perform checks mechanically and faithfully, unaffected by prompt injection. We provide scripts covering common known danger patterns.

No single inspector is omnipotent. Scripts cannot understand semantics, agents can be fooled, and humans can become fatigued. But the combination of these three ensures both convenience for daily use and protection against high-risk operations.

For regular users (notes)

Users are the final line of defense and the ultimate authority in a security system. The following are security matters that users need to personally oversee and implement.

a) API Key Management

- Configure the configuration file with proper permissions to prevent unauthorized access:

Never submit your API key to the code repository!

b) Channel access control (extremely critical!)

- You must set up a whitelist (`allowFrom`) for each communication channel; otherwise, anyone can chat with your agent.

⚠️ In the new version, an empty `allowFrom` means denying all access. If you want to allow access, you must explicitly write `["*"]`, but this is not recommended.

c) Do not run with root privileges.

- It is recommended to create a dedicated user to run the Agent to avoid excessive privileges:

d) Try to avoid using email channels.

Email protocols are complex and relatively risky. Our BitsLab team has discovered and confirmed a critical vulnerability related to email. The following is the project team's response. We still have several issues pending confirmation from the project team, so please use email-related functional modules with caution.

e) Deployment in Docker is recommended.

- It is recommended to deploy nanobot in a Docker container to isolate it from the daily use environment and avoid security risks caused by mixed permissions or environments.

Tool installation steps

Tool Principles

SKILL.md

Intent review based on cognitive awakening breaks through the blind spot of traditional AI passively receiving instructions. It incorporates a mandatory "self-wakeup" thought chain mechanism, requiring the AI ​​to first activate an independent security review persona in the background before processing any user request. Through contextual analysis and independent judgment of user intent, it proactively identifies and blocks potential high-risk activities, achieving an upgrade from "mechanical execution" to "intelligent firewall." When malicious instructions are detected (such as reverse shells, sensitive file theft, large-scale deletion, etc.), the tool executes a standardized hard interception protocol (outputting `[Bitslab nanobot-sec skills detected sensitive operation..., blocked]` warning).

Malicious command execution interception (Shell & Cron protection)

The Agent acts as a "zero-trust" gateway when executing operating system-level commands. It directly blocks various destructive operations and dangerous payloads (such as `rm -rf` malicious deletion, permission tampering, and reverse shells). Simultaneously, the tool has built-in deep-level runtime inspection capabilities, proactively scanning and cleaning persistent backdoors and malicious execution characteristics from system processes and Cron scheduled tasks, ensuring absolute security of the local environment.

Sensitive data theft prevention (file access verification)

Strict physical read/write isolation is implemented for core assets. The system has pre-set rigorous file verification rules to strictly prohibit AI from unauthorized reading and external transmission of sensitive files such as `config.json` and `.env` containing API keys and core configurations. In addition, the security engine will audit file read logs in real time (such as the call sequence of the `read_file` tool) to completely eliminate the possibility of credential leakage and data transfer at the source.

MCP Skills Safety Audit

For MCP-type skills, the tool will automatically audit their contextual interactions and data processing logic to detect risks such as sensitive information leakage, unauthorized access, and dangerous command injection, and compare them with security baselines and whitelists.

New skill downloads and automatic security scans

When downloading new skills, the tool uses audit scripts to automatically perform static code analysis, compare security baselines and whitelists, and detect sensitive information and dangerous commands to ensure that the skills are safe and compliant before loading them.

Anti-tamper hash baseline verification

To ensure absolute zero trust in the underlying assets of the system, the protection shield continuously establishes and maintains SHA256 cryptographic signature baselines for critical configuration files and memory nodes. The nighttime inspection engine automatically checks the temporal changes of every file hash, instantly capturing any unauthorized tampering or unauthorized overwriting within milliseconds, completely eliminating the risk of local backdoor implantation and "poisoning" at the physical storage layer.

Automated disaster recovery backup snapshot rotation

Given that the local agent has extremely high read and write permissions to the file system, the system has a built-in top-level automated disaster recovery mechanism. Every night, the protection engine automatically triggers a full sandbox-level archive of active workspaces and generates a security snapshot mechanism that retains it for up to 7 days (automatic rotation). Even in the event of accidental damage or deletion under extreme circumstances, a lossless one-click rollback of the development environment can be achieved, maximizing the continuity and resilience of local digital assets.

Disclaimer

This guide is intended as a reference for security practices and does not constitute any form of security guarantee.

1. No absolute security: All measures described in this guide (including deterministic scripts, Agent Skills, and user considerations) are "best effort" protections and cannot cover all attack vectors. AI Agent security is a rapidly evolving field, and new attack methods may emerge at any time.

2. User Responsibility: Users who deploy and use Nanobot should assess the security risks of their operating environment themselves and adjust the recommendations in this guide according to their actual scenarios. Users shall bear all losses resulting from improper configuration, failure to update in a timely manner, or ignoring security warnings.

3. Non-Professional Security Audit Alternatives: This guide is not a substitute for professional security audits, penetration testing, or compliance assessments. For scenarios involving sensitive data, financial assets, or critical infrastructure, it is strongly recommended to engage a professional security team for an independent assessment.

4. Third-Party Dependencies: The security of third-party libraries, API services, and platforms that Nanobot depends on (such as Telegram, WhatsApp, LLM providers, etc.) is not within the scope of this guide. Users should pay attention to the security announcements of relevant dependencies and update them in a timely manner.

5. Disclaimer: The maintainers and contributors to the Nanobot project shall not be liable for any direct, indirect, incidental or consequential damages arising from the use of this guide or Nanobot software.

By using this software, you acknowledge and accept the aforementioned risks.