```mermaid
graph TB
subgraph External["EXTERNAL ATTACK SURFACE"]
Telegram["Telegram Gateway"]
Discord["Discord Gateway"]
Slack["Slack Gateway"]
Email["Email Gateway"]
Matrix["Matrix Gateway"]
Signal["Signal Gateway"]
WebUI["Open WebUI"]
APIServer["API Server (HTTP)"]
end
subgraph Gateway["GATEWAY LAYER"]
PlatformAdapters["Platform Adapters"]
SessionMgr["Session Manager"]
Config["Gateway Config"]
end
subgraph Core["CORE AGENT"]
AIAgent["AI Agent"]
ToolRouter["Tool Router"]
PromptBuilder["Prompt Builder"]
ModelClient["Model Client"]
end
subgraph Tools["TOOL LAYER"]
FileTools["File Tools"]
TerminalTools["Terminal Tools"]
WebTools["Web Tools"]
BrowserTools["Browser Tools"]
DelegateTools["Delegate Tools"]
CodeExecTools["Code Execution"]
MCPTools["MCP Tools"]
end
subgraph Sandboxes["SANDBOX ENVIRONMENTS"]
LocalEnv["Local Environment"]
DockerEnv["Docker Environment"]
ModalEnv["Modal Cloud"]
DaytonaEnv["Daytona Environment"]
SSHEnv["SSH Environment"]
SingularityEnv["Singularity Environment"]
end
subgraph Credentials["CREDENTIAL STORAGE"]
AuthJSON["auth.json
(OAuth tokens)"]
DotEnv[".env
(API keys)"]
MCPTokens["mcp-tokens/
(MCP OAuth)"]
SkillCreds["Skill Credentials"]
ConfigYAML["config.yaml
(Configuration)"]
end
subgraph DataStores["DATA STORES"]
ResponseDB["Response Store
(SQLite)"]
SessionDB["Session DB"]
Memory["Memory Store"]
SkillsHub["Skills Hub"]
end
subgraph ExternalServices["EXTERNAL SERVICES"]
LLMProviders["LLM Providers
(OpenAI, Anthropic, etc.)"]
WebSearch["Web Search APIs
(Firecrawl, Tavily, etc.)"]
BrowserCloud["Browser Cloud
(Browserbase)"]
CloudProviders["Cloud Providers
(Modal, Daytona)"]
end
%% External to Gateway
Telegram --> PlatformAdapters
Discord --> PlatformAdapters
Slack --> PlatformAdapters
Email --> PlatformAdapters
Matrix --> PlatformAdapters
Signal --> PlatformAdapters
WebUI --> PlatformAdapters
APIServer --> PlatformAdapters
%% Gateway to Core
PlatformAdapters --> SessionMgr
SessionMgr --> AIAgent
Config --> AIAgent
%% Core to Tools
AIAgent --> ToolRouter
ToolRouter --> FileTools
ToolRouter --> TerminalTools
ToolRouter --> WebTools
ToolRouter --> BrowserTools
ToolRouter --> DelegateTools
ToolRouter --> CodeExecTools
ToolRouter --> MCPTools
%% Tools to Sandboxes
TerminalTools --> LocalEnv
TerminalTools --> DockerEnv
TerminalTools --> ModalEnv
TerminalTools --> DaytonaEnv
TerminalTools --> SSHEnv
TerminalTools --> SingularityEnv
CodeExecTools --> DockerEnv
CodeExecTools --> ModalEnv
%% Credentials access
AIAgent --> AuthJSON
AIAgent --> DotEnv
MCPTools --> MCPTokens
FileTools --> SkillCreds
PlatformAdapters --> ConfigYAML
%% Data stores
AIAgent --> ResponseDB
AIAgent --> SessionDB
AIAgent --> Memory
AIAgent --> SkillsHub
%% External services
ModelClient --> LLMProviders
WebTools --> WebSearch
BrowserTools --> BrowserCloud
ModalEnv --> CloudProviders
DaytonaEnv --> CloudProviders
%% Style definitions
classDef external fill:#ff9999,stroke:#cc0000,stroke-width:2px
classDef gateway fill:#ffcc99,stroke:#cc6600,stroke-width:2px
classDef core fill:#ffff99,stroke:#cccc00,stroke-width:2px
classDef tools fill:#99ff99,stroke:#00cc00,stroke-width:2px
classDef sandbox fill:#99ccff,stroke:#0066cc,stroke-width:2px
classDef credentials fill:#ff99ff,stroke:#cc00cc,stroke-width:3px
classDef datastore fill:#ccccff,stroke:#6666cc,stroke-width:2px
classDef external_svc fill:#ccffff,stroke:#00cccc,stroke-width:2px
class Telegram,Discord,Slack,Email,Matrix,Signal,WebUI,APIServer external
class PlatformAdapters,SessionMgr,Config gateway
class AIAgent,ToolRouter,PromptBuilder,ModelClient core
class FileTools,TerminalTools,WebTools,BrowserTools,DelegateTools,CodeExecTools,MCPTools tools
class LocalEnv,DockerEnv,ModalEnv,DaytonaEnv,SSHEnv,SingularityEnv sandbox
class AuthJSON,DotEnv,MCPTokens,SkillCreds,ConfigYAML credentials
class ResponseDB,SessionDB,Memory,SkillsHub datastore
class LLMProviders,WebSearch,BrowserCloud,CloudProviders external_svc
```
```mermaid
flowchart TB
subgraph AttackVectors["ATTACK VECTORS"]
direction TB
AV1["1. Malicious User Prompts"]
AV2["2. Compromised Skills"]
AV3["3. Malicious URLs"]
AV4["4. File Path Manipulation"]
AV5["5. Command Injection"]
AV6["6. Credential Theft"]
AV7["7. Session Hijacking"]
AV8["8. Sandbox Escape"]
end
subgraph Targets["HIGH-VALUE TARGETS"]
direction TB
T1["API Keys & Tokens"]
T2["User Credentials"]
T3["Session Data"]
T4["Host System"]
T5["Cloud Resources"]
end
subgraph Mitigations["SECURITY CONTROLS"]
direction TB
M1["Dangerous Command Approval"]
M2["Skills Guard Scanning"]
M3["URL Safety Checks"]
M4["Path Validation"]
M5["Secret Redaction"]
M6["Sandbox Isolation"]
M7["Session Management"]
M8["Audit Logging"]
end
AV1 -->|exploits| T4
AV1 -->|bypasses| M1
AV2 -->|targets| T1
AV2 -->|bypasses| M2
AV3 -->|targets| T5
AV3 -->|bypasses| M3
AV4 -->|targets| T4
AV4 -->|bypasses| M4
AV5 -->|targets| T4
AV5 -->|bypasses| M1
AV6 -->|targets| T1 & T2
AV6 -->|bypasses| M5
AV7 -->|targets| T3
AV7 -->|bypasses| M7
AV8 -->|targets| T4 & T5
AV8 -->|bypasses| M6
```
```mermaid
sequenceDiagram
participant Attacker
participant Platform as Messaging Platform
participant Gateway as Gateway Adapter
participant Agent as AI Agent
participant Tools as Tool Layer
participant Sandbox as Sandbox Environment
participant Creds as Credential Store
Note over Attacker,Creds: Attack Scenario: Command Injection
Attacker->>Platform: Send malicious message:
"; rm -rf /; echo pwned"
Platform->>Gateway: Forward message
Gateway->>Agent: Process user input
Agent->>Tools: Execute terminal command
alt Security Controls Active
Tools->>Tools: detect_dangerous_command()
Tools-->>Agent: BLOCK: Dangerous pattern detected
Agent-->>Gateway: Request user approval
Gateway-->>Platform: "Approve dangerous command?"
Platform-->>Attacker: Approval prompt
Attacker-->>Platform: Deny
Platform-->>Gateway: Command denied
Gateway-->>Agent: Cancel execution
Note right of Tools: ATTACK PREVENTED
else Security Controls Bypassed
Tools->>Sandbox: Execute command
(bypassing detection)
Sandbox->>Sandbox: System damage
Sandbox->>Creds: Attempt credential access
Note right of Tools: ATTACK SUCCESSFUL
end
```