Summary
create_agent is documented/described as admin-only, but it is exposed to every container and the host performs no role/admin check — so any agent container can create new agent groups.
Version
upstream main @ d144721 (≈ v2.0.64); present since e83ffbc.
Claim vs. reality
container/agent-runner/src/mcp-tools/agents.ts:
- L8-9 (comment): "create_agent is admin-only. Non-admin containers never see this tool (see mcp-tools/index.ts). The host re-checks permission on receive."
- L35 (tool description, shown to the agent): "…Admin-only. Fire-and-forget."
Neither holds:
- Registered unconditionally.
registerTools([createAgent]) runs at module scope (agents.ts:66); the barrel imports it for its side effect with no gating (mcp-tools/index.ts:11). Every container's MCP server exposes create_agent.
- No host-side re-check.
handleCreateAgent (src/modules/agent-to-agent/create-agent.ts, dispatched from src/delivery.ts handleSystemAction) validates only source-group-exists, name-collision, and path-traversal — no role/admin/permission check.
Impact
A container agent processes inbound messages (a prompt-injection surface). With create_agent ungated, an injected agent can spawn arbitrary agent groups with attacker-chosen name + instructions (the new group's CLAUDE.md) and wire destinations. Path traversal is guarded, but unauthorized agent-group creation enables namespace pollution / persistence / resource abuse — higher impact on shared/multi-user deployments.
Suggested fix
- Conditional registration: don't register
create_agent for non-admin containers (gate in index.ts/agents.ts on role/cli_scope), matching the "non-admin never see this tool" claim; and/or
- Host re-check: in
handleCreateAgent, verify the source group is authorized before creating, matching the "host re-checks permission on receive" claim.
Then align the agents.ts comment + description with whichever gating ships.
Summary
create_agentis documented/described as admin-only, but it is exposed to every container and the host performs no role/admin check — so any agent container can create new agent groups.Version
upstream
main@ d144721 (≈ v2.0.64); present since e83ffbc.Claim vs. reality
container/agent-runner/src/mcp-tools/agents.ts:Neither holds:
registerTools([createAgent])runs at module scope (agents.ts:66); the barrel imports it for its side effect with no gating (mcp-tools/index.ts:11). Every container's MCP server exposescreate_agent.handleCreateAgent(src/modules/agent-to-agent/create-agent.ts, dispatched fromsrc/delivery.tshandleSystemAction) validates only source-group-exists, name-collision, and path-traversal — no role/admin/permission check.Impact
A container agent processes inbound messages (a prompt-injection surface). With
create_agentungated, an injected agent can spawn arbitrary agent groups with attacker-chosenname+instructions(the new group's CLAUDE.md) and wire destinations. Path traversal is guarded, but unauthorized agent-group creation enables namespace pollution / persistence / resource abuse — higher impact on shared/multi-user deployments.Suggested fix
create_agentfor non-admin containers (gate inindex.ts/agents.tson role/cli_scope), matching the "non-admin never see this tool" claim; and/orhandleCreateAgent, verify the source group is authorized before creating, matching the "host re-checks permission on receive" claim.Then align the
agents.tscomment + description with whichever gating ships.