| Server / tool | A untrusted | B sensitive | C external |
|---|---|---|---|
| fetch / fetch | ● | · | · |
| filesystem / create_directory | · | · | ● |
| ↳ directory_tree | · | · | · |
| ↳ edit_file | · | ● | · |
| ↳ get_file_info | · | ● | · |
| ↳ list_directory | · | ● | · |
| ↳ move_file | · | ● | · |
| ↳ read_media_file | · | ● | · |
| ↳ read_multiple_files | · | ● | · |
| ↳ read_text_file | · | ● | · |
| ↳ search_files | · | ● | · |
| ↳ write_file | · | ● | ● |
| slack / slack_get_channel_history | ● | · | · |
| ↳ slack_get_thread_replies | ● | · | · |
| ↳ slack_get_users | · | · | · |
| ↳ slack_list_channels | · | · | · |
| ↳ slack_post_message | · | · | ● |
| ↳ slack_reply_to_thread | · | · | · |
No single server is a full trifecta, but the connected fleet combines all three axes. A (untrusted-input): fetch, slack; B (sensitive-access): filesystem; C (external-comms): filesystem, slack. An agent connected to all of these can be injected through one server and steered to read sensitive data and exfiltrate it through another.
✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.
ASI02 · Tool Misuse and Exploitation · confidence 70%
This server's toolset already holds two trifecta axes (B:sensitive-access, C:external-comms). Adding a tool with the third axis — or connecting it alongside another server that provides it — would complete the lethal trifecta.
✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.
ASI02 · Tool Misuse and Exploitation · confidence 60%
This server's toolset already holds two trifecta axes (A:untrusted-input, C:external-comms). Adding a tool with the third axis — or connecting it alongside another server that provides it — would complete the lethal trifecta.
✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.
ASI02 · Tool Misuse and Exploitation · confidence 60%