6.3 KiB
6.3 KiB
| title | summary | permalink |
|---|---|---|
| Threat Model | Security threat analysis for Moltbot's attack surfaces and mitigations. | /security/threat-model/ |
Threat Model
This document describes Moltbot's security threat model, attack surfaces, and implemented mitigations.
System Overview
Moltbot is a personal AI assistant that:
- Connects to messaging platforms (WhatsApp, Telegram, Discord, Slack, Signal, iMessage)
- Executes shell commands on the host machine
- Can control browsers via automation tools
- Stores configuration, credentials, and session data locally
Threat Actors
External Attackers
- Network-based: Attackers who can reach the gateway over the network
- Message-based: Malicious users who can send messages through connected channels
- Supply chain: Compromised dependencies or plugins
Malicious Message Senders
- Authorized users who attempt to abuse the system
- Attackers who gain access to an authorized user's account
- Prompt injection attempts through message content
Local Attackers
- Users with local access to the machine
- Malware running on the same machine
Attack Surfaces
1. Messaging Channels
Risk: Unauthorized command execution via messaging platforms.
Attack vectors:
- Sending messages to the bot without authorization
- Impersonating authorized users
- Prompt injection attacks embedded in messages
- Exploiting channel-specific authentication weaknesses
Mitigations:
- Pairing codes with 80-bit entropy (16 chars, 32-char alphabet)
- Per-channel allowlists for authorized senders
- Rate limiting on pairing attempts (10/min)
- HMAC-signed pairing stores to detect tampering
- Prompt injection detection with tiered severity (critical/high/medium/low)
- Prompt boundary markers (
[USER_INPUT_START]/[USER_INPUT_END])
2. Shell Command Execution
Risk: Arbitrary code execution, system compromise, data exfiltration.
Attack vectors:
- Direct malicious commands from authorized users
- Prompt injection leading to command execution
- Shell metacharacter injection
- Path traversal in command arguments
Mitigations:
- Command execution blocklist (critical/high/medium severity)
- Critical patterns always blocked:
rm -rf /,dd if=/dev/zero of=/dev/sda,mkfs, fork bombs - High severity blocked by default:
sudo,passwd,iptables, user management - Allowlist-based execution for untrusted contexts
- Shell command parsing and analysis before execution
- Safe bins list for common utilities with restricted arguments
- One-time-use nonces for exec approval tokens (replay protection)
3. Gateway API
Risk: Unauthorized access to bot functionality, denial of service.
Attack vectors:
- Unauthenticated access to exposed gateway
- Brute-force attacks on authentication
- Rate-based denial of service
- Session hijacking
Mitigations:
- Security warning at startup for non-loopback binding without auth
- Token or password authentication for remote access
- Rate limiting with token bucket algorithm:
- Unauthenticated: 60 requests/min
- Channel messages: 200/min per channel
- Burst support (2x multiplier)
- Exponential backoff after authentication failures (1s base, 60s max)
- Per-client tracking (separate buckets per IP/session)
4. Local File Storage
Risk: Credential theft, session hijacking, configuration tampering.
Attack vectors:
- Reading unencrypted credentials from disk
- Modifying configuration files
- Tampering with pairing stores
- Session file manipulation
Mitigations:
- Secrets stored in system keychain (macOS Keychain, Linux Secret Service)
- Fallback to AES-256-GCM encrypted files with PBKDF2 key derivation
- Machine-derived encryption keys for file fallback
- HMAC signatures on pairing stores
- File permissions set to 0o600 (owner read/write only)
5. Browser Automation
Risk: Session theft, credential capture, unintended actions.
Attack vectors:
- Accessing sensitive pages without consent
- Capturing authentication cookies
- Executing JavaScript with elevated privileges
- Taking screenshots of sensitive content
Mitigations:
- Browser actions require explicit user session
- No automatic credential capture
- User-initiated browser automation only
6. Plugin/Extension System
Risk: Malicious or vulnerable plugins executing arbitrary code.
Attack vectors:
- Malicious plugins with broad permissions
- Vulnerable plugins with security flaws
- Dependency confusion attacks
Mitigations:
- Plugins run in the same trust context as the main process
- Plugin installation requires explicit user action
- Plugins installed from npm with standard security practices
Residual Risks
Accepted Risks
- Local administrator access: System assumes local admin is trusted
- Authorized user abuse: Rate limits but cannot prevent all abuse
- LLM prompt injection: Detection is heuristic-based, not foolproof
- Supply chain: Depends on npm ecosystem security
Known Limitations
- No sandboxing: Commands execute in the main process context
- Single-user model: Not designed for multi-tenant use
- Trust on first use: Initial setup requires manual verification
Security Properties
Confidentiality
- Credentials protected by system keychain or encryption
- Message content not logged by default
- Session data isolated per agent
Integrity
- Pairing stores signed with HMAC
- Configuration files protected by file permissions
- One-time nonces prevent replay attacks
Availability
- Rate limiting prevents resource exhaustion
- Exponential backoff limits brute-force impact
- Graceful degradation on provider failures
Security Controls Summary
| Control | Implementation | Status |
|---|---|---|
| Prompt injection detection | src/gateway/chat-sanitize.ts |
Active |
| Command blocklist | src/infra/exec-blocklist.ts |
Active |
| Secrets encryption | src/infra/secrets-manager.ts |
Active |
| Gateway rate limiting | src/gateway/rate-limit.ts |
Active |
| Pairing hardening | src/pairing/pairing-store.ts |
Active |
| Approval nonces | src/infra/exec-approvals.ts |
Active |
Incident Response
If you discover a security vulnerability:
- Do not disclose publicly until patched
- Report via GitHub security advisories
- Provide reproduction steps and impact assessment
Version History
- 2026-01-27: Initial threat model for Phase 1 security hardening