sisterd_lite

The server exposes powerful system management tools, including direct shell command execution (`execute_shell_command` using `subprocess.run(..., shell=True)`) and self-modification capabilities (reading/writing workspace files). While a permission system (`PermissionManager`) and auditing decorators (`permission_audit`) are in place, the 'full' template explicitly grants AI agents broad, highly privileged access. This design is inherently high-risk, as a compromised or hallucinating LLM could execute arbitrary, destructive commands, including system reboots, user management, and sensitive file modifications. Network exposure through HTTP/JSON-RPC (ports 8089/7861 by README, 8888/7860 by script default) to these powerful tools without strong external authentication/sandboxing constitutes a severe vulnerability. The `OllamaClient` creates outbound connections, and `ContainerManager` directly invokes Docker commands, adding attack surface.