SharetoBoard
Threat model · v0.3.0 RC

Tentaclaw security and incident manual.

Protect the account-wide Poppy credential, restrict destinations, minimize content, treat returned material as untrusted, and keep release evidence separate from assumptions.

Assets and trust boundaries

Protected assets

  • Poppy API credential
  • Private board/chat content
  • Conversation integrity and history
  • Board/chat destination policy
  • Audit metadata and release evidence

Boundaries

  • Human ↔ agent conversation
  • Agent/skills ↔ MCP client
  • MCP client ↔ Tentaclaw process
  • Tentaclaw ↔ local secret store
  • Tentaclaw ↔ Poppy API

Primary threats and controls

ThreatPrimary controlResidual risk
Credential enters agent contextHuman-managed local key file; no key in skill/config/chatHost/process compromise can still read it
Wrong board or chatExact resolution plus server allowlistsIncorrect allowlist configuration
Prompt injection in board contentSkills treat output as data and forbid operational obedienceModel may still mis-handle persuasive content
Overbroad enumerationTask-need rule and filtered destination policyDiscovery tools retain account metadata authority
Redirect or destination substitutionHTTPS allowlist, no embedded credentials, redirect denialTrusted upstream compromise
Oversized/slow responseRequest/response limits, timeout, bounded retriesUpstream resource consumption within limits
Sensitive loggingMetadata-only audit events and redacted errorsMCP client may independently log tool payloads
Unapproved conversation writesDistinct tools, history off by default, skill workflow rulesClient with tool authority can still invoke writes

Data handling

Credential rules

Never: paste the key or a credential-bearing URL into chat; put it in a skill, source file, shell argument, browser extension, committed JSON/TOML/YAML, screenshot, support ticket, or ordinary log; ask the agent to read the key file.

The v0.3.0 candidate checks key-file permissions, ownership, and symlink behavior on POSIX. Windows operators must enforce ACLs separately. Where available, use an OS credential store, container secret, or vault integration reviewed for the deployment.

Suspected exposure response

  1. Stop access. Shut down the MCP client and Tentaclaw process.
  2. Rotate at the source. Revoke/reissue the Poppy key. Do not merely move the exposed value.
  3. Preserve minimal evidence. Record time, host, client, version, tool, and safe error metadata without copying sensitive content.
  4. Remove exposed artifacts. Delete or sanitize chat exports, workspace files, shell history, logs, screenshots, and source-control entries according to their platform procedures.
  5. Review scope. Determine which boards/chats the account-wide key could reach and whether conversation writes or credit consumption occurred.
  6. Rebuild trust. Create a new protected key file, restore allowlists, and validate with a disposable destination before production.
  7. Report product defects. Send a minimal report to security@sharetoboard.com without including the key or private content.

Security non-claims