Skip to content

fix: metadata-first watch triage to prevent prompt injection#5

Merged
suisuss merged 2 commits intomainfrom
feat/3-metadata-first-triage
Apr 2, 2026
Merged

fix: metadata-first watch triage to prevent prompt injection#5
suisuss merged 2 commits intomainfrom
feat/3-metadata-first-triage

Conversation

@suisuss
Copy link
Copy Markdown
Owner

@suisuss suisuss commented Apr 2, 2026

Summary

  • Remove raw file content reading from watch triage pipeline to eliminate prompt injection vector
  • Claude now triages exclusively from sread metadata: MIME type, size, entropy, PDF keywords, archive listings, ELF headers, VBA macro presence, shebang lines
  • Read tool removed from watch's allowed tool set, enforced at CLI level

Changes

  • sread fileinfo: text content preview replaced with line count + shebang only; office docs use targeted VBA macro check instead of strings dump; unknown types no longer extract strings
  • agent/watch.sh: Read removed from ALLOWED_TOOLS during triage invocations; prompt updated to forbid content reading
  • agent/WATCH.md: rule 1 now explicitly prohibits raw content reading with rationale (untrusted files could contain text designed to manipulate analysis)

Test plan

  • Run sread fileinfo against a text file — confirm no content preview, only line count + shebang
  • Run sread fileinfo against a PDF — confirm PDF metadata + risk indicators shown, no text extraction
  • Run sread fileinfo against an office doc — confirm VBA macro check only, no strings dump
  • Run watch triage on a test file — confirm Claude cannot invoke Read tool
  • Run existing threatlab tests: docker compose --profile test run --rm secy-test

Closes #3

suisuss added 2 commits April 2, 2026 12:38
@suisuss
fix: metadata-first watch triage to prevent prompt injection
ae80eec 
Remove raw file content reading from watch triage pipeline. Claude now
triages exclusively from sread metadata: MIME type, size, entropy, PDF
keywords, archive listings, ELF headers, VBA macro presence, shebang.

Changes:
- fileinfo module: replace text content preview with line count + shebang
- fileinfo module: replace strings preview on unknown types with no-op
- fileinfo module: replace office strings with targeted VBA macro check
- watch.sh: remove Read from allowed tools during triage
- watch.sh: update prompt to forbid content reading
- WATCH.md: rule 1 now explicitly prohibits raw content reading with rationale

Closes #3
@suisuss
fix: restrict watch to Write-only, sanitize shebang extraction
853b6ba 
- Strip all tools except Write from watch triage — Claude receives
  pre-extracted metadata in the prompt, needs no read/execute access
- Shebang extraction now uses regex to capture interpreter path only,
  rejecting anything outside [a-zA-Z0-9/_.-]
- Closes the Bash/Grep content-reading bypass from review feedback
@suisuss suisuss merged commit d6f7ff6 into main Apr 2, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Watch triage should use metadata-first approach to prevent prompt injection

1 participant

@suisuss