| Server / tool | A untrusted | B sensitive | C external |
|---|---|---|---|
| github / create_or_update_file | · | ● | ● |
| ↳ create_pull_request | · | · | ● |
| ↳ delete_file | · | ● | ● |
| ↳ get_discussion_comments | ● | · | · |
| ↳ get_file_contents | · | ● | · |
| ↳ get_me | · | · | · |
| ↳ get_secret_scanning_alert | · | ● | · |
| ↳ issue_read | ● | · | · |
| ↳ issue_write | · | · | ● |
| ↳ list_issues | ● | · | · |
| ↳ list_notifications | ● | · | · |
| ↳ list_repository_collaborators | · | · | · |
| ↳ merge_pull_request | · | · | ● |
| ↳ pull_request_read | ● | ● | · |
| ↳ push_files | · | ● | ● |
This server's combined toolset spans all three lethal-trifecta axes, so an agent using it can be steered to chain them into data exfiltration or unauthorized action. Contributors — A (untrusted-input): github:issue_read, github:list_issues, github:pull_request_read, github:get_discussion_comments, github:list_notifications; B (sensitive-access): github:pull_request_read, github:get_file_contents, github:get_secret_scanning_alert, github:create_or_update_file, github:push_files, github:delete_file; C (external-comms): github:create_or_update_file, github:push_files, github:create_pull_request, github:merge_pull_request, github:issue_write, github:delete_file.
✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.
ASI02 · Tool Misuse and Exploitation · confidence 75%