Rules / AIRA-059
exec credential probe or process kill
Hard review on pending exec when command probes environment variables for credentials, parses auth-profiles via shell pipelines, kills OpenClaw processes, or deletes agent config. Harvested from replay session 52d3c8dc where identical user intent made AIRA-010 L3 margins collapse across benign and risky commands.
Rule definition
# OWASP ASI03/ASI05: high-risk host exec that L3 cannot reliably separate when session
# intent is long and dominates bi-encoder scoring (OpenClaw memory-session harvest).
rule: AIRA-059
meta:
name: exec credential probe or process kill
severity: high
action: review
authority: hard # never L3-downgraded; complements AIRA-010 soft exec review
description: >
Hard review on pending exec when command probes environment variables for
credentials, parses auth-profiles via shell pipelines, kills OpenClaw processes,
or deletes agent config. Harvested from replay session 52d3c8dc where identical
user intent made AIRA-010 L3 margins collapse across benign and risky commands.
owasp:
asi:
- ASI03:2026 # Identity & Privilege Abuse — credential discovery via env/auth store
- ASI05:2026 # Unexpected Code Execution — process kill and destructive rm
- ASI02:2026 # Tool Misuse — exec for host introspection beyond scoped allow-list
llm:
- LLM02:2025 # Sensitive Information Disclosure — env and auth-profiles probing
- LLM06:2025 # Excessive Agency — killing gateway / deleting agent config
condition:
sequence:
- tool: exec
status: pending
args_match:
command: "env\\s*\\|\\s*grep|\\bauth-profiles\\.json\\b.*\\|\\s*(python|python3)|\\bpkill\\b|\\brm\\s+[^\\n]*agents/[^\\n]*/agent/config\\.json"
Corpus examples (0)
No corpus examples published for this rule yet.