Scan every prompt
before money moves.

Every agent input. One deterministic verdict. Zero LLM calls.

Real numbers from this codebase — built for OKX.AI Genesis

  • 11 RULE FILES
  • 49_patterns
  • <2ms scans
  • 0 LLM CALLS
  • MIT license
  • 1 ENDPOINT
  • 0–100 score
  • 3_verdicts
  • 5 CONTEXTS
  • 6 actions
  • Zod validated
  • TS STRICT

The attack surface

One injected sentence can empty a wallet

Task descriptions, scraped pages, tool output, and agent memory can all carry hidden instructions. When your agent holds keys, a missed injection becomes a signed transfer. See how the scanner works.

  • Spoofed Authority
  • Contradictory Instructions
  • Financial Manipulation
  • Hidden Directives
  • Instruction Override
  • Prompt Injection
  • Role Override
  • Suspicious Delimiters
  • System Prompt Extraction
  • Invisible Unicode
  • Urgency Manipulation

Introducing Clipeus

One scan before every agent action

Clipeus analyzes agent-bound text with deterministic rules — regex, Unicode heuristics, and weighted scoring — then returns an explainable risk verdict. It advises; your agent decides. No LLMs, no black boxes.

Platform integrations

Screen task input before the agent runs

Clipeus for Task Agents

Planners and tool-calling loops act on whatever text they are handed. Clipeus scans task descriptions, scraped pages, and tool output before your agent treats them as instructions.

Try it live

Gate the signature, not the agent

Clipeus for Wallet Signers

Pass action_pending with the scan and financial actions get an amplified score — a pending transfer weighs more than a read-only task. Your signer sees the verdict before anything is signed.

Try it live

Drop a JSON file, get a new detection

Rules as data, not code

Every detection lives in /rules/*.json — a category, a weight, and regex patterns with human-readable reasons. The loader picks up new files automatically; the scanner code never changes.

Read the docs

One endpoint for every integration

Clipeus for MCP & REST

Call POST /api/scan from an MCP tool server, a webhook, or any backend that consumes untrusted text. One JSON in, one explainable verdict out.

Try it live

Deterministic. Explainable. Fast.

Explainable by design

Rules as data by default

Eleven JSON files define every detection. Add a file and the scanner speaks a new category — the engine code never changes.

One REST endpoint

POST /api/scan takes content plus a pending action and returns score, verdict, flagged spans, and reasons in a single JSON response.

Runs anywhere Node runs

Self-host the whole app. Scans are local and deterministic — no external calls, no model drift. Same input, same output.

  1. Receive

    Your agent sends candidate text before acting on it.

  2. Match

    NFKC-normalized text runs against every pattern in /rules.

  3. Score

    Weighted findings roll up to a 0–100 risk score and verdict.

Adversarial testing

Try to break the rule engine

The playground runs the exact rules the API uses. Paste your nastiest injection attempts and watch every flagged span get explained.

Open the playground

Opinionated by design

Scan your first prompt in ten seconds

This form hits the real POST /api/scan endpoint — the same one your agents will call. Scans as a pending transfer_funds action.

MIT licensed · Rule-based · Zero LLM calls · Analyzes, never decides