| Server / tool | A untrusted | B sensitive | C external |
|---|---|---|---|
| notes-reader / list_files | · | ● | · |
| ↳ read_file | · | ● | · |
| slack-notifier / send_message | · | · | ● |
| web-fetcher / fetch_doc | ● | · | · |
| ↳ search_docs | · | · | · |
No single server is a full trifecta, but the connected fleet combines all three axes. A (untrusted-input): web-fetcher; B (sensitive-access): notes-reader; C (external-comms): slack-notifier. An agent connected to all of these can be injected through one server and steered to read sensitive data and exfiltrate it through another.
✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.
ASI02 · Tool Misuse and Exploitation · confidence 70%
Environment variable 'SLACK_TOKEN' in the config holds a hardcoded Slack token.
✓ Load secrets from a secret manager or runtime environment, never commit them to config, and rotate any exposed credential.
ASI03 · Identity and Privilege Abuse · confidence 85%