chainwall

v2.2.8

Published

3 months ago

Antivirus for AI agents — scan your machine, see what's exposed, block threats

0High
0Medium
0Low

security ai-safety antivirus secrets-detection prompt-injection llm-security ai-agents mcp pre-commit-hook claude-code cursor copilot

Antivirus for AI tools.

Your AI tools have access to every secret on your machine. ChainWall scans your filesystem, maps which tools can reach your credentials, and blocks threats before they happen. Keep your device safe.

241 detection patterns · 18 AI tools audited · 978 tests · <50ms hooks

Get Started

npm install -g chainwall
chainwall

That's it. Two commands. The interactive dashboard opens and walks you through everything — scan for secrets, audit your AI tools, monitor runtime behavior, and configure protection. No flags to memorize, no config files to write.

[!TIP] The dashboard is the best way to use ChainWall. Navigate with 1-6, run scans and audits from inside, toggle protection with p, remediate findings with r, and press ? for all keybindings. Everything the CLI can do, the dashboard does better.

Twitter · GitHub · @girlintokyo

The Problem

[!WARNING] Your AI tools can read every secret on your machine right now.

AI tools have broad filesystem access — coding agents, chat assistants, automation workflows, MCP servers — they can all reach your AWS credentials, SSH keys, .env files, crypto wallets, and browser cookies. Most users have no idea how exposed they are.

The threat isn't hypothetical. A single prompt injection buried in a dependency README. A hallucinated shell command that pipes your keys to a remote server. A compromised MCP server that exfiltrates environment variables on every call. The agent doesn't need to be malicious — it just needs to be tricked.

There's no firewall between your AI tools and your secrets. No permission model. No audit trail. You're running autonomous software with the keys to your entire digital life, and hoping for the best.

ChainWall closes the gap. Scan what's exposed, see which tools can reach it, and block threats before they execute — in under a minute.

See It in Action

What It Does

Scan

ChainWall walks your filesystem and matches every file against 241 detection patterns — credentials, private keys, crypto seeds, PII, dangerous commands, supply chain attacks, and cryptojacking. Entropy validation filters out false positives so you only see real secrets. System-level scans target the specific locations where credentials actually live: ~/.aws, ~/.ssh, ~/.gnupg, browser profiles, and more.

Audit

The auditor detects every AI tool on your machine — 18 tools across three access levels — then cross-references each tool's filesystem reach against your discovered secrets. The result is an exposure map: which tools can read which secrets, ranked by risk. It also inspects MCP server configurations for poisoning attacks (description injection, typosquatting, rug-pull detection), VS Code extensions, CLI tools, environment variables, running cryptocurrency miners, and skill/instruction file threats.

Sections like MCP Servers, VS Code Extensions, and Environment Variables show "None found." when your system is clean — that's the goal. If something is lurking, ChainWall will surface it.

Monitor

Runtime behavioral analysis scans running processes, network connections, browser extensions, shadow AI tools, clipboard contents, and persistence mechanisms (crontab, launch agents, shell profiles). Findings are correlated using signal-based scoring with PID cross-referencing and optional baseline diffing to detect new activity since your last snapshot.

Protect

Real-time bash hooks intercept dangerous operations before they execute. Pre-commit hooks block secrets from entering your git history. Pre-push hooks catch force-pushes and branch deletions. PreToolUse and PostToolUse hooks run inline with Claude Code to block file reads and shell commands in real-time — under 50ms, every time.

[!IMPORTANT] The two layers are fully independent. Bash hooks work without Node.js installed. The TypeScript CLI works without hooks being configured. Use either or both.

CLI Commands

The dashboard is the recommended way to use ChainWall, but every feature is also available as a standalone command:

chainwall                # launch the interactive dashboard (recommended)
chainwall scan           # find secrets, keys, and PII on your machine
chainwall audit          # map which AI tools can reach those secrets
chainwall monitor        # runtime behavioral analysis (processes, network, persistence)
chainwall init           # install real-time protection hooks (one-time setup)

[!NOTE] chainwall init only needs to run once per project to deploy hooks. After that, just launch chainwall for the full dashboard.

Platform Guide

macOS — Open Terminal (built-in, found in Applications > Utilities) or iTerm2. Both work out of the box. Bash hooks and the CLI run natively.

Linux — Use any terminal emulator: GNOME Terminal, Konsole, Alacritty, kitty, or whatever ships with your distro. Everything runs natively.

Windows — The chainwall CLI (scan, audit, dashboard) works in any terminal: PowerShell, Command Prompt, or Windows Terminal. However, the real-time bash hooks require a Unix shell. To get full protection including hooks, use one of these:

WSL2 (recommended) — Run wsl --install in PowerShell. This gives you a full Linux environment inside Windows. Install Node.js inside WSL, then npm install -g chainwall from there.
Git Bash — Comes bundled with Git for Windows. Provides bash and common Unix tools. Install Git for Windows, then run ChainWall from the Git Bash terminal.

git clone https://github.com/consulalialpric/chainwall.git
cd chainwall && npm install && npm run build && npm link

git clone https://github.com/consulalialpric/chainwall.git ~/tools/chainwall
cd your-project && ~/tools/chainwall/install.sh

Pure bash + jq, executes in under 50ms, zero network calls.

Detection Patterns

241 patterns across 12 categories, with entropy validation to reduce false positives.

| Category | Patterns | |:---------|:--------:| | Credentials | 55 | | Private Keys | 5 | | Crypto / Web3 | 26 | | Dangerous Commands | 26 | | PII | 15 | | Supply Chain | 16 | | Prompt Injection | 18 | | Cryptojacking | 19 | | Exfiltration | 19 | | Skill File Threats | 25 | | MCP Poisoning | 6 modules | | Permissions | 11 |

241 total patterns across all detection systems: 194 compiled scanner rules + 25 skill-file rules + 10 contextual injection patterns + 6 MCP poisoning modules + 3 shell history + 11 permission checks, loaded separately per context.

AWS: Access Key ID, Secret Access Key, Session Token Google / GCP: API Key, Service Account Key, OAuth Client Secret Azure: Storage Account Key, AD Client Secret, Connection String GitHub: Personal Access Token, Fine-Grained Token, OAuth Access Token, App Token, App Refresh Token GitLab: Personal Access Token, Pipeline Token, Runner Token Slack: Bot/User Token, Webhook URL Stripe: Secret Key, Restricted Key, Webhook Secret OpenAI / Anthropic: OpenAI API Key, OpenAI Project Key, Anthropic API Key Twilio: API Key, Account SID SendGrid: API Key Supabase: Service Role Key, Anon Key Firebase: Server Key Databricks: Access Token npm / PyPI / Docker: npm Access Token, PyPI API Token, Docker Hub Access Token JWT / Bearer: JSON Web Token, Bearer Token HashiCorp Vault: Service Token, Batch Token Datadog: API Key Mailgun: API Key Heroku: API Key Shopify: Access Token, Custom App Token, Private App Password Linear: API Key Vercel: Access Token Generic: API Key Assignment, Password in Config, Private Key Variable

RSA Private Key, DSA Private Key, EC Private Key, OpenSSH Private Key, PGP Private Key Block

Seed Phrases: BIP39 12-word, BIP39 24-word Private Keys: Ethereum (keyword context), Ethereum (env var), Solana Keypair (JSON), Solana Base58, Bitcoin WIF, MetaMask Vault/Mnemonic, Hardhat/Foundry Deployment Key Exchange APIs: Binance, Coinbase, Kraken, Bybit, OKX, KuCoin, Generic Exchange Infrastructure: Alchemy, Infura, QuickNode RPC URL, Helius RPC Key Wallet Files: Seed Phrase Backup, Electrum Wallet, Trading Bot Config, Bitcoin wallet.dat, Ethereum Keystore, Solana Keypair File

Destructive: Recursive Force Delete (rm -rf), Shred File, DD to Device, Filesystem Format, Direct Device Write Remote Execution: Curl Pipe to Shell, Eval from Variable, Base64 Decode Execute Permissions: World-Writable (chmod 777), SetUID Bit, LD_PRELOAD Injection, PATH Manipulation Network: Netcat Listener, Reverse Shell, SSH Tunnel Persistence: Crontab Modification, Systemd Service Install, Hosts File Modification, Sudoers Modification Docker Escapes: Socket Mount, Privileged Container, Host PID Namespace, Host Network, CAP_SYS_ADMIN Anti-Forensics: History Deletion, Log Tampering

Identity: US Social Security Number (with AAA validation), US SSN (no dashes), US EIN/Tax ID, Passport Number, Driver License, Date of Birth Financial: Credit Card Number (Luhn validated), Bank Account Number, Routing Number, IBAN (mod-97 validated) Medical (HIPAA): Email with PII Context, Phone in PII Context, Medical Record Number, DEA Number, Medicare ID

Package Managers: pip Install from URL, pip Trusted Host, npm Registry Override, Gem Install from Source, Dependency Confusion (--extra-index-url) Lifecycle Exploits: Package.json Lifecycle Script (network), Package.json Lifecycle Script (eval), Setup.py OS Command Lock Files: Lock File Deletion, Lock File Git Checkout Dependencies: Git Dependency with Commit Hash, Private Registry in Lockfile, NPM Scope Confusion, Native Module Prebuild Download Docker: Image Without Tag, Image from Unknown Registry

Instruction Override: Ignore Previous Instructions, Disregard Prior Instructions, Forget Instructions, New Instructions Override Identity Manipulation: Role Assumption, Authority Claim, Admin Override Prompt Extraction: System Prompt Disclosure, Prompt Fragments, Instruction Reflection Jailbreaks: DAN/Jailbreak Keywords, Do Anything Now, Hypothetical Bypass Obfuscation: Base64 Instruction, Markdown/Code Block Injection Output Control: Output Suppression, Response Formatting Attack, Output Suppression Override

Mining Pools: Stratum+TCP URL, Stratum+SSL URL, Known Pool Domains, Mining Pool Ports Miner Binaries: XMRig, Known Miners (ethminer, cgminer, bfgminer, phoenixminer, cpuminer, claymore, t-rex, lolminer, nbminer, gminer) Browser Mining: CoinHive, CryptoLoot, WebAssembly Mining Module Mining Libraries: JS Import, Python Import Configuration: Mining Algorithm in Config, Monero Wallet Address, Mining Environment Variables, Hashrate Configuration Files: XMRig Config, Mining Pools Config, Miner Config Runtime: Mining Process Launch

Shell Payloads: Curl Pipe to Shell, Wget Pipe to Shell, Reverse Shell, Destructive rm, chmod 777 Data Exfiltration: curl POST Exfiltration, Webhook Data Send, Encoded URL Exfiltration Supply Chain: pip Install from URL, npm Install from URL/Git Obfuscated Payloads: Long Hex Escape Sequence, Long Base64 String, Eval with String Concatenation Hidden Instructions: HTML Comment with Action Keywords, Unicode Bidirectional Override, Script/Iframe Tag, Zero-Width Characters Credential Harvesting: SSH Key Read, AWS Credentials Read, .env File Read, Environment Variable Dump System Modification: Shell Profile Modification, Crontab Modification, Write to /etc/ Security Bypass: Security Tool Disable, SSL/TLS Verification Disable, Password-Protected Archive Extraction

MCP tool poisoning detection — description injection, typosquatting (Levenshtein distance), excessive permission combos, suspicious URLs, known CVEs (CVE-2025-68145/68143/68144), rug-pull detection via SHA-256 hash tracking
Environment variable audit — scans process.env for 33 sensitive key patterns
Entropy-based validation — Shannon entropy filtering on tokens to reduce false positives
Base64 obfuscation detection — catches base64 -d | bash and encoded payloads
Docker escape detection — socket mounts, --privileged, host PID/network, CAP_SYS_ADMIN
SARIF 2.1.0 export — chainwall scan --format sarif for CI/CD integration
Real-time watch mode — chainwall watch with debounce and content-hash caching
Prompt injection scanning — 27 patterns across 19 instruction file types (.cursorrules, CLAUDE.md, .windsurfrules, etc.)

Supported AI Tools

ChainWall detects and audits 18 AI tools, grouped by filesystem access level.

| Access | Tools | |:-------|:------| | :red_circle: Full (any file on disk) | Claude Code, Codex CLI, Aider, Trae IDE, Bolt | | :orange_circle: Workspace (project files) | Cursor, Windsurf, Continue.dev, Gemini Code Assist, Cline, RooCode, Amazon Q, JetBrains AI, Augment, BLACKBOXAI, Qodo Gen, Kiro | | :green_circle: Limited (open files only) | GitHub Copilot |

The auditor cross-references each tool's access level against your discovered secrets to show exactly which tools can reach which sensitive files. A secret inside your project directory is reachable by every workspace-level tool. A secret in ~/.aws/credentials is only reachable by full-access tools.

Instruction files are deployed to 11 tools via chainwall init.

MCP Server

ChainWall includes an MCP server that AI agents can call directly for real-time security checks — scan files, validate commands, and query protection status without leaving the agent loop.

Tools

| Tool | Description | |:-----|:-----------| | scan_file | Scan a file for secrets (restricted to cwd) | | scan_content | Scan arbitrary text for secrets | | check_command | Check if a shell command is dangerous | | audit_status | Get current protection status | | monitor_snapshot | Runtime behavioral scan (processes, network, persistence) | | capture_baseline | Capture system baseline for future diffing |

Setup

Automatic

chainwall init

This registers the MCP server in Claude Desktop and Cursor automatically.

Manual

Add the chainwall server to your MCP client config:

| Client | Config path | |--------|------------| | Claude Desktop (macOS) | ~/Library/Application Support/Claude/claude_desktop_config.json | | Claude Desktop (Linux) | ~/.config/Claude/claude_desktop_config.json | | Cursor | ~/.cursor/mcp.json | | Windsurf / other | Any MCP config — just needs chainwall-mcp on PATH |

{
  "mcpServers": {
    "chainwall": {
      "command": "chainwall-mcp"
    }
  }
}

Direct usage

chainwall mcp

Starts the MCP server on stdio for testing or debugging. Useful for verifying tool responses before wiring it into your AI client.

[!TIP] The MCP server (above) lets agents call ChainWall for security checks. The MCP detector (part of chainwall audit) finds MCP servers already on your system and analyzes them for poisoning attacks — description injection, typosquatting, excessive permissions, and rug-pull detection. They're separate features.

Architecture

graph TD
    CW["<b>CHAINWALL</b>"] --> BH["<b>Bash Hooks</b><br><i>real-time, &lt;50ms</i><br>PreToolUse · PostToolUse<br>pre-commit · pre-push"]
    CW --> CLI["<b>TypeScript CLI</b><br><i>scan / audit / TUI</i><br>241 patterns · 18 tools<br>exposure map · SARIF"]
    CW --> MON["<b>Runtime Monitor</b><br><i>behavioral analysis</i><br>process · network · browser<br>shadow AI · clipboard · persistence"]
    CW --> MCP["<b>MCP Server</b><br><i>agent-callable</i><br>scan_file · scan_content<br>check_command · audit_status<br>monitor_snapshot · capture_baseline"]
    BH --> XR["<b>Cross-Reference</b><br><b>Exposure Map</b><br><i>secrets × tool access<br>= what's actually at risk</i>"]
    CLI --> XR
    MON --> XR
    MCP --> XR

hooks/              Bash hooks (PreToolUse/PostToolUse, git pre-commit/pre-push)
patterns/           YAML pattern databases (8 files)
rules/              Instruction files for 11 AI tools
src/
  commands/         scan, audit, init, watch, monitor, allow handlers
  rules/            241 patterns as pre-compiled RegExp
  scanner/          Async filesystem walker + rule engine
  auditor/          18-tool detector + MCP/CLI/VS Code scanner + MCP poison detector + miner detector
  reporter/         Terminal, JSON, SARIF, audit reports
  monitor/          6 runtime scanners + correlation + baseline
  tui/              Interactive TUI (Ink + React)
  mcp-server/       6-tool MCP server (stdio transport)
test/               Vitest tests (35 files)
tests/              Bash test suite (11 suites)
install.sh          Universal installer

Reference

| Command | Description | |:--------|:-----------| | chainwall | Launch interactive dashboard | | chainwall scan [dir] | Scan for secrets, keys, and PII | | chainwall scan --system | System credential locations only | | chainwall audit [dir] | Map AI tool access + cross-reference exposure | | chainwall watch [dir] | Real-time file monitoring | | chainwall monitor [dir] | Runtime behavioral analysis | | chainwall init [dir] | Install hooks for detected AI tools | | chainwall enable / disable | Toggle real-time protection | | chainwall status | Show protection status | | chainwall allow <path> | Add path to allowlist | | chainwall allow --rule <id> | Disable a detection rule | | chainwall mcp | Start MCP security server (stdio transport) |

| Flag | Applies to | Description | |:-----|:-----------|:-----------| | --format sarif\|json\|text | scan | Output format (default: text) | | --json | audit | Output as JSON | | --crypto-only | scan | Only run crypto/web3 rules | | --include-tests | scan | Include test directories (normally skipped) | | --verbose | scan | Show match details | | --grouped | scan | Group findings by category | | --remediate | audit | Interactive remediation prompts | | --deep | audit | Full recursive home directory walk | | --baseline | monitor | Compare against saved baseline | | --json | monitor | Output as JSON |

~/.llm-av/config.json        global (all projects)
.llm-av/config.json           project (this repo only)

{
  "enabled": true,
  "allowlist": {
    "paths": ["test-fixtures/", "vendor/"],
    "patterns": ["EXAMPLE_KEY"],
    "rules": ["generic-api-key-assignment"]
  },
  "blocklist": {
    "paths": [".env.production"],
    "patterns": ["MY_SECRET_PREFIX"]
  },
  "skipDirs": ["test-integration", "__vitest__"]
}

Blocklist always wins. LLMAV_SKIP=1 bypasses all checks for one invocation (always logged).

Launch with chainwall (no arguments) for a full-screen keyboard-driven dashboard.

| Panel | What it shows | |:------|:-------------| | Overview | Protection status, detected tools, risk score, system summary | | Scan | Mode selection with duration estimates, grouped results, severity/category filtering, search, allowlisting | | Audit | 9-section accordion (tools, exposure map, MCP, CLIs, VS Code, env, MCP poisoning, cryptojacking), remediation actions | | Monitor | Runtime behavioral analysis — 6-scanner accordion with detail views, remediation, severity filtering | | Settings | Allowlist/blocklist/skipDirs, toggle protection, global/project scope | | Logs | Audit trail with severity filtering and real-time reload |

Keyboard: 1-6 switch panels · p toggle protection · ? help · q quit

| Feature | ChainWall | git-secrets | truffleHog | gitleaks | |:--------|:---------:|:-----------:|:----------:|:--------:| | Real-time hook blocking | :white_check_mark: | :x: | :x: | :x: | | Pre-commit scanning | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | AI tool access auditing | :white_check_mark: | :x: | :x: | :x: | | MCP server detection | :white_check_mark: | :x: | :x: | :x: | | MCP poisoning detection | :white_check_mark: | :x: | :x: | :x: | | Skill file threat scanning | :white_check_mark: | :x: | :x: | :x: | | Cryptojacking detection | :white_check_mark: | :x: | :x: | :x: | | Runtime behavioral monitoring | :white_check_mark: | :x: | :x: | :x: | | Instruction file deployment | 11 tools | :x: | :x: | :x: | | Entropy validation | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | | PII detection | :white_check_mark: | :x: | :x: | :x: | | Crypto / Web3 patterns | 26 | :x: | Limited | Limited | | SARIF export | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | | Interactive TUI | :white_check_mark: | :x: | :x: | :x: | | Zero-dependency hooks | bash + jq | bash + git | Go binary | Go binary |

[!NOTE] git-secrets, truffleHog, and gitleaks are excellent tools for scanning repos and CI pipelines. ChainWall is designed specifically for the AI agent threat model — where the risk isn't just committing a secret, but an agent reading, exfiltrating, or acting on it in real time.

./tests/run-all.sh    # 225 bash hook tests (11 suites)
npx vitest run        # 753 vitest tests (35 test files)

978 tests total, all passing.

| Component | Requires | |:----------|:---------| | Bash hooks | bash 3.2+, jq | | ChainWall CLI | Node.js 18.17+ |

Community & Contributing

Open an issue for bugs and feature requests
Start a discussion for questions and ideas
Follow @girlintokyo and @Antivirus on Twitter
See CONTRIBUTING.md for development guide

Built by @girlintokyo.

License

MIT