P8: External Link Quarantine & Stealth-Intent Detection (Anti-Astroturfing)
Context
Sub-ticket of Epic #10291 (Organism Self-Defense). This addresses a vulnerability discovered empirically when an external automated agent (@desiorac) infiltrated the #10291 epic itself.
The external agent used a "Trojan Horse" strategy: generating high-quality, peer-to-peer technical critiques to build credibility and bypass human spam filters, then seamlessly inserting a marketing backlink (arkforge.tech) at the end of the payload. The attack was only detected because the agent's wrapper script leaked its French Chain-of-Thought prompting instructions.
The Problem
Current defenses (P1 provenance, P6b guards) protect the graph and the tool execution boundary. However, they do not protect the swarm from Stealth Astroturfing or Malicious Link Traversal.
If a highly credible technical comment contains a link, an agent might traverse it (via web reading tools) to gather more context, walking directly into a watering-hole attack, IP-logger, or prompt-injection payload hosted on the external site. Furthermore, storing these links in our Memory Core turns our database into an SEO link-farm.
2026 Industry-Standard Alignment
Mitigates OWASP ASI01 Agent Goal Hijack (via indirect prompt injection on external sites) and Supply Chain / Watering Hole Attacks. It aligns with Zero-Trust architecture by assuming all external URIs are hostile until proven otherwise.
The Architectural Reality
mcp_neo-mjs-github-workflow read paths (e.g., get_conversation)AGENTS.md (Agent directives on tool usage)- Memory Core ingestion paths
The Fix
- URI Defanging at the Read Boundary: When
get_conversation or issue-fetching tools retrieve content authored by the External trust tier (per P1), all hyperlinks and raw URLs must be regex-defanged (e.g., https://arkforge.tech -> [QUARANTINED_URL: arkforge.tech]).
- Traversal Prohibition Rule: An explicit rule in
AGENTS.md strictly forbidding any agent from using URL-reading tools on domains provided by external users without explicit Human Commander (@tobiu) approval.
- P7 Contextual Sanitizer Extension: Ensure the P7 Critic/Verifier agent is instructed to strip self-promotional astroturfing context when persisting external summaries to the Memory Core, preventing our graph from becoming an SEO link-farm.
Acceptance Criteria
Out of Scope
- GitHub Action automated comment deletion (we want to keep the technical signal, just kill the link).
Related
P8: External Link Quarantine & Stealth-Intent Detection (Anti-Astroturfing)
Context
Sub-ticket of Epic #10291 (Organism Self-Defense). This addresses a vulnerability discovered empirically when an external automated agent (
@desiorac) infiltrated the #10291 epic itself.The external agent used a "Trojan Horse" strategy: generating high-quality, peer-to-peer technical critiques to build credibility and bypass human spam filters, then seamlessly inserting a marketing backlink (
arkforge.tech) at the end of the payload. The attack was only detected because the agent's wrapper script leaked its French Chain-of-Thought prompting instructions.The Problem
Current defenses (P1 provenance, P6b guards) protect the graph and the tool execution boundary. However, they do not protect the swarm from Stealth Astroturfing or Malicious Link Traversal.
If a highly credible technical comment contains a link, an agent might traverse it (via web reading tools) to gather more context, walking directly into a watering-hole attack, IP-logger, or prompt-injection payload hosted on the external site. Furthermore, storing these links in our Memory Core turns our database into an SEO link-farm.
2026 Industry-Standard Alignment
Mitigates OWASP ASI01 Agent Goal Hijack (via indirect prompt injection on external sites) and Supply Chain / Watering Hole Attacks. It aligns with Zero-Trust architecture by assuming all external URIs are hostile until proven otherwise.
The Architectural Reality
mcp_neo-mjs-github-workflowread paths (e.g.,get_conversation)AGENTS.md(Agent directives on tool usage)The Fix
get_conversationor issue-fetching tools retrieve content authored by theExternaltrust tier (per P1), all hyperlinks and raw URLs must be regex-defanged (e.g.,https://arkforge.tech->[QUARANTINED_URL: arkforge.tech]).AGENTS.mdstrictly forbidding any agent from using URL-reading tools on domains provided by external users without explicit Human Commander (@tobiu) approval.Acceptance Criteria
AGENTS.mdupdated with strict External URL Traversal Prohibition.get_conversationMCP tool updated to defang URLs from non-collaborator comments.Out of Scope
Related