Agent Ascend was built as a secure, local-first alternative to plugins that send data to external servers.
- No external network connections — zero fetch, zero WebSocket, zero gRPC.
- No instance registration — no "register", "request_key_id", "client_id".
- No remote memories — no risk of external instruction injection.
- No external API keys — optional local embeddings via
@huggingface/transformers. - No telemetry — zero analytics, zero tracking, zero phone-home.
- No credential access — does not touch passwords, tokens, or keys.
- No arbitrary code execution — no
eval(),Function(), or dynamic imports.
- SQLite database — all data stored locally in
~/.agent-ascend/memory.db. - FTS5 full-text search — indexed search within the local database.
- Input sanitization — strips IDs, paths, emails, API keys, IPs before storage.
- Parameterized queries — all SQL uses prepared statements (no string interpolation).
- Audit trail — every mutation logged in
audit_logtable with timestamp and context.
These controls were implemented during the ORÁCULO v1.6 security audit:
| Control | Implementation | File |
|---|---|---|
| SQL injection prevention | Outcome enum whitelist validation | tools.ts |
| LIKE injection prevention | Metacharacter escaping with ESCAPE '\' |
graph.ts |
| Hash collision resistance | FNV-1a extended to 192-bit (48 hex chars) | store.ts |
| Rate limiting bypass prevention | Warmstart uses direct transactional INSERT | tools.ts |
| Table name interpolation | Health check uses sqlite_master lookup |
store.ts |
| File path validation | CLI warmstart validates .json extension + existence |
cli/index.ts |
| Error logging | 14 catch blocks with contextual stderr logging | Multiple |
| Experience Replay integrity | PER q_delta compares against previous experience | store.ts |
| Threat | Mitigation |
|---|---|
| Data exfiltration | Zero external endpoints; all data in local SQLite |
| Instruction injection | No remote memories; only reads from local DB |
| Privilege escalation | Runs in user-space without elevated permissions |
| Skill manipulation | Skills are proposals until explicitly activated |
| Data poisoning | Q-value Bellman update prevents extreme scores; rate limiting (60/min) |
| DoS via bulk import | Warmstart capped at 500 items per call |
| SQL injection | All queries parameterized; outcome validated against enum |
| LIKE wildcards | %, _, \ escaped in all LIKE patterns |
| Hash collision | 192-bit FNV-1a on full text (not truncated) |
| Supply chain | 3 runtime deps: @modelcontextprotocol/sdk, better-sqlite3, zod |
# Verify no external URLs (should only show github.com in package.json)
grep -rn "https\?://" src/ index.ts | grep -v "localhost" | grep -v "github.com" | grep -v "example"
# Verify no fetch calls
grep -rn "fetch(" src/ index.ts
# Verify no WebSocket
grep -rn "WebSocket\|ws://" src/ index.ts
# Verify no eval/Function
grep -rn "eval(\|new Function\|require(" src/ index.ts
# Verify no dynamic imports
grep -rn "import(" src/ index.tsExpected result: All commands return empty output.
If you discover a security issue: security@gravityzenai.com
Apache 2.0 — © 2026 GravityZenAI