The core is an HTTP/WebSocket reverse proxy in Go (~6k lines) with four scanners:
1. Prompt injection detection - three tiers: regex heuristics (role overrides, instruction injection, delimiter attacks, encoding attacks), structural analysis (base64-decoded instruction blocks, imperative verb density scoring), and canary token leak detection.
2. Secrets/PII scanning - regex argument filters applied to decoded JSON values (defeats unicode escape bypasses like \u0070assword).
3. Vulnerability scanning - SQLi (UNION, tautologies, blind with SLEEP/BENCHMARK), SSRF (private IPs, cloud metadata at 169.254.169.254, decimal/hex IP encoding, dangerous schemes like gopher://), path traversal (double URL-encoding, null bytes), command injection (shell metacharacters, backtick execution), XSS.
4. Malware detection - magic bytes for PE/ELF/Mach-O, YARA-like signature rules for reverse shells and C2 frameworks, archive bomb detection via compression ratio, Shannon entropy analysis.
Policy engine is deny-by-default YAML. You define tool allowlists, denylists, per-tool argument filters, domain allowlists, and per-agent/per-channel restrictions. Every decision is logged to SQLite.
Optional extras: iptables egress firewall (Go, generates validated rules from YAML) and eBPF kernel monitor (Python/BCC - traces execve, tcp_v4_connect, openat2, setuid for fork bomb/privesc/port scan detection).
Docker quickstart is 3 commands. Ten cross-compiled binaries on the release (proxy + setup wizard for linux/mac/windows, amd64/arm64).
We run this in production at clawshield.sleuthco.ai.
I built this because I was contributing security patches to OpenClaw and the netfilter suite and kept seeing the same gap: the AI ecosystem has sophisticated multi-agent routing but no standardized way to inspect and control what flows through it.
Happy to answer questions about the scanner architecture, policy engine, or threat model.
sleuthco•3h ago