BitsLab Deep Production: Nanobot User Security Practice Guide

When an AI Agent possesses system-level capabilities such as shell execution, file read/write, network requests, and scheduled tasks, it is no longer just a "chatbot"—it becomes an operator with real permissions. This means that a command induced by prompt injection could delete critical data; a skill poisoned by the supply chain could quietly leak credentials; an unverified business operation could cause irreversible losses.

Traditional security solutions often fall into two extremes: either completely relying on the AI's own "judgment" for self-restraint (which can easily be bypassed by carefully crafted prompts), or piling up a large number of rigid rules to lock down the Agent (thereby losing the core value of the Agent).

BitsLab's in-depth guide chooses a third path: dividing security responsibilities based on "who checks," allowing three types of roles to each play their part------

• Ordinary Users: As the final line of defense, responsible for key decisions and regular reviews. We provide considerations to reduce cognitive load.

• The Agent itself: Consciously adhering to behavioral norms and audit processes during runtime. We provide Skills to inject security knowledge into the Agent's context.

• Deterministic Scripts: Mechanically and faithfully executing checks, unaffected by prompt injection. We provide Scripts that cover common known dangerous patterns.

No single checker is omnipotent. Scripts cannot understand semantics, Agents may be deceived, and humans can experience fatigue. But the combination of the three ensures both convenience for daily use and prevention of high-risk operations.

1. Ordinary Users (Considerations)

Users are the final line of defense in the security system and the highest authority. Below are security matters that users need to pay attention to and execute personally.

a) API Key Management

• Configuration files should be set with appropriate permissions to prevent unauthorized viewing:

• Never submit API keys to code repositories!

b) Channel Access Control (Very Critical!)

• Be sure to set a whitelist (allowFrom) for each communication channel; otherwise, anyone can chat with your Agent:

⚠️ In the new version, an empty allowFrom means denying all access. If you want to open it, you must explicitly write ["*"], but this is not recommended.

c) Do not run with root privileges

• It is recommended to create a dedicated user to run the Agent to avoid excessive permissions:

d) Avoid using email channels

• Email protocols are complex and relatively risky. Our BitsLab team has discovered and confirmed a critical-level vulnerability related to email. Below is the project party's response; we still have several questions pending confirmation from the project party, so use email-related features with caution.

e) It is recommended to deploy in Docker

• It is recommended to deploy the nanobot in a Docker container, isolating it from the daily usage environment to avoid security risks caused by permission or environment mixing.

2. Tool Installation Steps

Below are the tools independently developed by BitsLab, with specific links: https://github.com/BitsLabSec/nanobot-security-guide

① Download the nanobot-security-guide project to the nanobot skills directory, or send a command to the agent to run the official installation script:

curl -sSL https://raw.githubusercontent.com/BitsLabSec/nanobot-security-guide/main/install.sh | bash

↓

② After installation, read the security practice guidelines in the project (such as README.md, SKILL.md) to understand core security configurations and operational recommendations.

↓

③ Send a command to your Agent: "Please carefully read this security guide and assess whether it is reliable?"

↓

④ Manually configure allowlist.txt and runtime-baseline.txt in the policy directory according to the document prompts to narrow permissions, set security baselines, and other measures.

↓

⑤ You can use the scripts in the scripts/ directory for security inspections and testing to ensure environmental safety.

3. Tool Principles

SKILL.md

The intent review based on cognitive awakening breaks through the blind spot of traditional AI passively receiving commands. It incorporates a mandatory "Self-Wakeup" thought chain mechanism, requiring the AI to first awaken an independent security review persona in the background before processing any user requests. By analyzing user intent contextually and independently, it actively identifies and intercepts potential high-risk threats, upgrading from "mechanical execution" to "intelligent firewall." When malicious commands (such as reverse shell, sensitive file theft, large-scale deletion, etc.) are detected, the tool executes a standardized hard interception protocol (outputting [Bitslab nanobot-sec skills detected sensitive operations..., intercepted] warning).

Malicious Command Execution Interception (Shell & Cron Protection)

Acts as a "zero trust" gateway when the Agent executes system-level commands. The defense line directly blocks various destructive operations and dangerous payloads (such as rm -rf malicious deletions, permission tampering, reverse shells, etc.). At the same time, the tool has built-in deep runtime inspection capabilities that can actively scan and clean persistent backdoors and malicious execution features in system processes and Cron scheduled tasks, ensuring absolute safety of the local environment.

Sensitive Data Theft Blocking (File Access Verification)

Implements strict physical isolation for core assets' read and write operations. The system has preset stringent file verification rules, prohibiting the AI from unauthorized reading of sensitive files such as config.json, .env, etc., which contain API keys and core configurations, and transmitting them externally. In addition, the security engine will also audit file read logs in real-time (such as the call sequence of the read_file tool), completely cutting off the possibility of credential leakage and data exfiltration from the source.

MCP Skill Security Audit

For MCP-type skills, the tool will automatically audit their contextual interactions and data processing logic, detecting risks such as sensitive information leakage, unauthorized access, and dangerous command injection, and comparing them with security baselines and whitelists.

New Skill Download and Automatic Security Scanning

When downloading new skills, the tool will automatically perform static code analysis using audit scripts, compare security baselines and whitelists, and detect sensitive information and dangerous commands, ensuring that skills are loaded only after confirming their safety and compliance.

Tamper-Proof Hash Baseline Verification

To ensure absolute zero trust for the underlying system assets, the protection shield will continuously establish and maintain SHA256 encrypted signature baselines for key configuration files and memory nodes. The nightly inspection engine will automatically verify the temporal changes of each file hash, capable of capturing any unauthorized tampering or privilege escalation in milliseconds, completely cutting off local backdoor implantation and "poisoning" risks from the physical storage layer.

Automated Disaster Recovery Backup Snapshot Rotation

Given that the local Agent has extremely high read and write permissions on the file system, the system has built-in the highest level of automated disaster recovery mechanisms. The protection engine will automatically trigger a full sandbox-level archive of the active workspace every night, generating a security snapshot mechanism with a maximum retention of 7 days (automatically rotating). Even in extreme cases of accidental damage or deletion, it can achieve lossless one-click rollback of the development environment, maximizing the continuity and resilience of local digital assets.

4. Disclaimer

This guide serves only as a reference for security practices and does not constitute any form of security guarantee.

1. No Absolute Security: All measures described in this guide (including deterministic scripts, Agent Skills, and user considerations) are "best effort" protections and cannot cover all attack vectors. AI Agent security is a rapidly evolving field, and new attack methods may emerge at any time.

2. User Responsibility: Users deploying and using Nanobot should assess the security risks of their operating environment and adjust the recommendations in this guide according to actual scenarios. Any losses resulting from incorrect configuration, failure to update in a timely manner, or ignoring security warnings are the user's responsibility.

3. Not a Substitute for Professional Security Audits: This guide cannot replace professional security audits, penetration testing, or compliance assessments. For scenarios involving sensitive data, financial assets, or critical infrastructure, it is strongly recommended to hire a professional security team for independent evaluation.

4. Third-Party Dependencies: The security of third-party libraries, API services, and platforms (such as Telegram, WhatsApp, LLM providers, etc.) that Nanobot relies on is outside the control of this guide. Users should pay attention to the security announcements of relevant dependencies and update them in a timely manner.

5. Scope of Liability: The maintainers and contributors of the Nanobot project are not liable for any direct, indirect, incidental, or consequential damages arising from the use of this guide or the Nanobot software.

Using this software indicates that you understand and accept the above risks.

About BitsLab

BitsLab is an AI security company focused on digital asset security, dedicated to providing integrated solutions of "audit services + AI security engine + security tools" for the emerging Web3 ecosystem, helping project parties and end users build, trade, and use digital assets more securely on-chain.

In the overall security solution, BitsLab forms a complete AI security system with BitsLab AI Scanner + BitsLab Safe: BitsLab Safe, as an AI-based Web3 security product, provides enterprise-level protection, simulating transactions in real-time, identifying scams and malicious contracts, and relying on BitsLab's agentic security stack to protect x402 payments and various AI Agent's on-chain operations; BitsLab AI Scanner, based on vulnerability and threat data engines, performs intelligent audits and risk detection, significantly improving efficiency and reducing false positives.

BitsLab has three sub-brands: MoveBit, ScaleBit, and TonBit, continuing to deepen its efforts in emerging ecosystems such as Sui, Aptos, TON, Solana, Linea, BNB Chain, Soneium, and Starknet, providing professional auditing and vulnerability discovery services to help projects maintain the security and controllability of core infrastructure during rapid iterations. The BitsLab team consists of several top vulnerability research experts who have won international CTF awards multiple times and have discovered and disclosed critical vulnerabilities in well-known projects such as TON, Aptos, Sui, Nervos, OKX, and Cosmos, promoting ecological security upgrades.