The context-aware classification is neat, especially the pipe composition stuff. One thing I keep thinking about though — the scariest exfiltration pattern isn't a single bad command, it's a chain of totally normal ones. Agent reads .env (filesystem_read → allow), writes a script that happens to include those values (project write → allow), then runs it (package_run → allow). Every step looks fine individually. Credentials gone. This is basically the same problem as cross-module vulns in web apps — each component is secure on its own, the exploit lives in the data flow between them. Would be interesting to see some kind of session-level tracking that flags when sensitive reads flow into writes and then executions within the same session. Doesn't need to be heavy — just correlating what was read with what gets written/executed.
thank! and I agree with you on chain exfiltration - it's a hard one to protect against. nah passes the last few messages of conversation history to the LLM gate, so it may be able to catch this scenario, but it's hard from a guarantee. I plan to add a gate where an LLM reads scripts before executing, which will also mitigate this.
The right solution though is a monitoring service on your network that checks for exfiltration of credential. nah is just one layer in the stack.