Silas runs LLM agents with operational access to network and security infrastructure. That attack surface spans the AI system, the supply chain, and the customer environment. This document maps it.
| Class | Capability | Typical objective |
|---|---|---|
| External attacker | Internet-originated; no install | Credential theft, prompt injection, SSRF |
| Malicious publisher | Publishes an MCP, capsule, or prompt to a trust tier | Supply-chain compromise of installs that fetch their artifact |
| Compromised tenant insider | Valid install, valid credentials, elevated appetite | Cross-tenant exfil, lateral movement, audit tampering |
| Channel-injected prompt adversary | Controls content reaching the LLM via a tool output | Prompt injection → unauthorized tool call |
| Supply-chain adversary | Upstream dependency, upstream Codex fork, GHCR base image | Backdoored binaries, dependency confusion |
install-to-gateway; forge install_id, steal provisioned credentials
per-install mTLS + NKey; impersonate an install, replay traces
edge orchestrator ↔ MCP stdio; malicious MCP prompt-injection
silas-ssh ↔ customer infrastructure; credential misuse, unapproved writes
GCS → install; replace, tamper, exfil-and-decrypt
14 prioritized threats shown. Full 37-threat matrix versioned internally; public list expands as controls ship.
| ID | ATLAS Tactic | Threat | Sev | Current mitigation | Residual gap |
|---|---|---|---|---|---|
| SL-T01 | Reconnaissance (AML.T0000) | Attacker scrapes public repos for CLAUDE.md, preferences.toml | Medium | Sanitizer redacts on output | Developer secret-paste — training |
| SL-T02 | Initial Access (AML.T0010) | Forged install activation | High | NKey challenge-response, admin approval | Gateway bearer rotation not automated |
| SL-T03 | Initial Access (AML.T0012) | Malicious MCP in ~/.silas/mcp.d/ | Critical | Deny-by-default shell & paths | MCP signing not enforced — Epic P3 |
| SL-T04 | Execution (AML.T0050) | Prompt injection via fetched content | Critical | XML-tag wrapping + sanitizer | No per-source quarantine — Epic P7 |
| SL-T05 | Execution (AML.T0051) | Malicious tool output → unauthorized shell | Critical | Approval queues; preferences allowlists | Preset wiring incomplete — Epic P8 |
| SL-T06 | Persistence (AML.T0020) | Attacker modifies capsule on disk | High | SHA-256 checksum on decrypt | Capsule signature — Epic P1 |
| SL-T07 | Persistence (AML.T0020) | Tampering with credentials.json at rest | High | None today | Epic P2 — credential at-rest encryption |
| SL-T08 | Defense Evasion (AML.T0030) | Decompile CLI → extract 1Password service token | Critical | XOR+base64 (not crypto) | Epic P4 — replace with keychain |
| SL-T09 | Discovery (AML.T0040) | Enumerate installs / tenants via admin API | Medium | Gateway bearer; admin GitHub OAuth | tenant_id not enforced — Epic P6 |
| SL-T10 | Exfiltration (AML.T0060) | Exfil Gandalf capsule, decrypt offline | High | age encryption, machine-bound passphrase | Passphrase deterministic — Epic P5 |
| SL-T11 | Exfiltration (AML.T0061) | Log exfil via ClickHouse query | Medium | ClickHouse TLS; NATS subject scoping | Row-level tenant filter — Epic P6 |
| SL-T12 | Impact (AML.T0070) | Unauthorized production config push | Critical | Intent apply gate (policy + canary) | Some vendor MCPs still have bare write tools |
| SL-T13 | Impact (AML.T0071) | Audit-log tamper / delete | High | NATS append-only; 30d retention | No hash chain / signed events — Epic P7 |
| SL-T14 | Supply Chain (AML.T0100) | Upstream Codex fork compromise | Critical | Nightly rebase, CodeQL, lockfile pinning | No signed upstream verification — Epic P3 |
SL-T03 → SL-T04 → SL-T09 → SL-T11
SL-T08 → SL-T02
SL-T10 (machine-bound passphrase weakness)
SL-T14 → SL-T03 → SL-T12
SL-T04 → SL-T05 → SL-T12
Compromises multiple installs or production infrastructure
Single-install compromise or significant exfiltration
Limited-scope leak or denial of service
Informational or hardening-class finding
Threat matrix is reviewed each quarter and on any new MCP, capsule, or trust-boundary change. Report findings to [email protected] — see the disclosure program.
