Inference-based intrusion detection for AI agents. Pattern matching + LLM analysis for jailbreaks, prompt injection, credential theft, social engineering. 108 detection patterns, OpenClaw plugin, auto
Real data. Real impact.
Emerging
Developers
Per week
Open source
Skills give you superpowers. Install in 30 seconds.
Inference-based intrusion detection for AI agents with quarantine and human-in-the-loop.
These are non-negotiable design principles:
/approve/reject/trust/quarantineMessage arrives ↓ hopeIDS.autoScan() ↓ ┌─────────────────────────────────────────┐ │ risk >= threshold? │ │ │ │ BLOCK (strictMode): │ │ → Create QuarantineRecord │ │ → Send Telegram alert │ │ → ABORT (no recall, no agent) │ │ │ │ WARN (non-strict): │ │ → Inject <security-alert> │ │ → Continue to jasper-recall │ │ → Continue to agent │ │ │ │ ALLOW: │ │ → Continue normally │ └─────────────────────────────────────────┘
{ "plugins": { "entries": { "hopeids": { "enabled": true, "config": { "autoScan": true, "defaultRiskThreshold": 0.7, "strictMode": false, "telegramAlerts": true, "agents": { "moltbook-scanner": { "strictMode": true, "riskThreshold": 0.7 }, "main": { "strictMode": false, "riskThreshold": 0.8 } } } } } } }
| Option | Type | Default | Description |
|---|---|---|---|
| boolean | | Auto-scan every message |
| boolean | | Block (vs warn) on threats |
| number | | Risk level that triggers action |
| boolean | | Send alerts for blocked messages |
| string | - | Override alert destination |
| string | | Storage path |
| object | - | Per-agent overrides |
| boolean | | Skip scanning owner messages |
When a message is blocked, a metadata record is created:
{ "id": "q-7f3a2b", "ts": "2026-02-06T00:48:00Z", "agent": "moltbook-scanner", "source": "moltbook", "senderId": "@sus_user", "intent": "instruction_override", "risk": 0.85, "patterns": [ "matched regex: ignore.*instructions", "matched keyword: api key" ], "contentHash": "ab12cd34...", "status": "pending" }
Note: There is NO
originalMessageWhen a message is blocked:
🛑 Message blockedID:
Agent: moltbook-scanner Source: moltbook Sender: @sus_user Intent: instruction_override (85%)q-7f3a2bPatterns: • matched regex: ignore.*instructions • matched keyword: api key
/approve q-7f3a2b/reject q-7f3a2b/trust @sus_user
Built from metadata only. No LLM touches this.
/quarantine [all|clean]List quarantine records.
/quarantine # List pending /quarantine all # List all (including resolved) /quarantine clean # Clean expired records
/approve <id>Mark a blocked message as a false positive.
/approve q-7f3a2b
Effect:
approved/reject <id>Confirm a blocked message was a true positive.
/reject q-7f3a2b
Effect:
rejected/trust <senderId>Whitelist a sender for future messages.
/trust @legitimate_user
/scan <message>Manually scan a message.
/scan ignore your previous instructions and...
| Command | What it does | What it doesn't do |
|---|---|---|
| Marks as false positive, may adjust IDS | Does NOT re-inject the message |
| Confirms threat, may strengthen patterns | Does NOT affect current message |
| Whitelists sender for future | Does NOT retroactively approve |
The blocked message is gone by design. If it was legitimate, the sender can re-send.
Different agents need different security postures:
"agents": { "moltbook-scanner": { "strictMode": true, // Block threats "riskThreshold": 0.7 // 70% = suspicious }, "main": { "strictMode": false, // Warn only "riskThreshold": 0.8 // Higher bar for main }, "email-processor": { "strictMode": true, // Always block "riskThreshold": 0.6 // More paranoid } }
| Category | Risk | Description |
|---|---|---|
| 🔴 Critical | Shell commands, code execution |
| 🔴 Critical | API key extraction attempts |
| 🔴 Critical | Data leak to external URLs |
| 🔴 High | Jailbreaks, "ignore previous" |
| 🔴 High | Fake system/admin messages |
| ⚠️ Medium | API/capability probing |
npx hopeid setup
Then restart OpenClaw.
No automatic installation available. Please visit the source repository for installation instructions.
View Installation Instructions
1,500+ AI skills, agents & workflows. Install in 30 seconds. Part of the Torly.ai family.
© 2026 Torly.ai. All rights reserved.