Integrate Tailscale into macOS containers using the Virtualization framework.

This project demonstrates how to integrate Tailscale into a minimal Linux host VM for each container instance on macOS. It runs Tailscale in userspace networking mode, enabling secure SSH connections and MagicDNS without exposing ports or configuring separate SSH servers.

Kubernetes security assessment CLI for RBAC and privilege escalation path analysis

Kubesplaining is a Kubernetes security assessment CLI that maps RBAC privilege-escalation paths in K8s clusters. It analyzes RBAC bindings and pod configurations to identify potential attack vectors by mapping out the paths an attacker could take to gain cluster-admin access or other privileged capabilities. The tool produces risk-prioritized HTML/JSON/CSV/SARIF reports showing the exact escalation chains with remediation guidance.

Connect to v3 onion services with C++20 using libsodium and mbedTLS.

Onionlink is a small C++20 Tor v3 onion-service client that communicates directly with Tor relays, builds necessary circuits for v3 access, and supports raw data exchange or HTTP requests with the service. It omits extensive security features present in standard Tor clients to focus on interoperability.

Detect processes using AF_ALG sockets in Linux.

This tool detects running processes that utilize the AF_ALG socket interface to help determine if it is safe to disable the AF_ALG kernel module. It outputs a list of processes and their file descriptors associated with AF_ALG.

Instant code security scanner for invisible Unicode steganography.

Detects hidden characters in code that can be used to hide executable payloads, flags sequences of invisible characters as potential threats, and identifies stray invisible characters from copy-paste operations. Runs entirely client-side with no data leaving the user's machine.

Catch fake AI-generated dependencies in code

Implit is a tool that scans AI-generated code and validates every import before it's run to prevent broken builds caused by non-existent or incorrectly imported packages.

Middleware proxy for LLM tool calls with security and token control

MCP Spine is a local-first proxy that sits between an LLM and MCP servers, providing security, routing, token control, and compliance. It offers features like rate limiting, secret scrubbing, semantic routing, schema minification for token savings, state guard for file version control, and a plugin system for custom middleware hooks.

A secret manager that keeps Kubernetes workload away from secrets

Kloak intercepts HTTPS traffic in Kubernetes using eBPF to replace hashed placeholders with real secrets at the network edge. Applications never see actual credentials, so compromised processes cannot leak secrets. Kloak can be installed with Helm.

Prove image and video authenticity with advanced cryptography.

ZCAM is a camera app that uses advanced cryptographic techniques to verify the authenticity of images and videos captured by users, proving they were created by real humans under specific conditions.

Ensure SDocs runs open-source code.

Verifies that the SDocs website serves the same code available in its GitHub repository, ensuring client-side privacy and security for sensitive data handled within Markdown files. This process uses SHA-256 hashing to compare file contents.

Custom credential provider API for Windows 10

Hodor is a Windows 11 credential provider DLL that accepts unlock commands over a named pipe. Any application that can write to a pipe can unlock the lock screen or approve a credential prompt without requiring Windows Hello enrollment or built-in biometric hardware. The DLL runs inside LogonUI.exe on the lock screen and hands credentials to Windows for validation.

Browser Fingerprinting

CreepJS is a browser fingerprinting tool that collects and analyzes various properties and characteristics of a web browser to generate a unique identifier. It captures information about the browser's configuration, installed plugins, system fonts, screen resolution, and other attributes to create a distinctive fingerprint. The service is used to demonstrate how easily unique browser identifiers can be generated for tracking purposes.

One HTML file that scores how human-like your interactions are.

Humanoid.js is a tool designed to analyze interaction signals in real-time, providing metrics such as pressure, displacement, and curvature to determine the humanness of user inputs. It supports multi-touch and trajectory visualization.

Inspect, edit, and override CSP headers in real time.

This browser extension allows users to manage Content Security Policy (CSP) settings directly from their browser. Users can debug CSP violations, test policies, and ensure secure web development practices.

AI vulnerability testing game

A platform that allows users to test the resilience of artificial intelligence agents through a series of challenges. The AI becomes progressively more intelligent with each round, and players can assess its vulnerabilities.

Zero-knowledge text encryption inside any web app

Locki provides enterprise-grade, zero-knowledge encryption for protecting sensitive data within existing web applications. Users can encrypt text directly from their browser by right-clicking and selecting the Locki option.

Desktop PGP workstation with simple GUI for secure messaging.

Eris is a focused PGP workstation designed to manage your own keys, store them in an encrypted vault, and handle encryption and verification workflows. It allows users to create key pairs, import public keys from contacts, and perform encryption, signing, decryption, and verification tasks locally using a secure vault file.

Free threat intelligence database of malicious and policy-violating Chrome extensions

Malext.io is a threat intelligence database that tracks and provides information about malicious, suspicious, and policy-violating Chrome extensions. It includes a list of extensions that have been removed from the Chrome Web Store but are still active elsewhere. The database is maintained through community reports and automated monitoring of the Chrome Web Store.

Detect AI-generated images, deepfakes, and synthetic media.

I Spy AI provides a tool to instantly detect whether an image is generated by AI or manipulated using deepfake technology. It supports JPEG, PNG, and WebP formats up to 15MB in size. The service can be integrated into various MCP-compatible AI agents for extended use.

See everything a webpage can learn about you

Browser Sysinfo uses client-side JavaScript to probe a user's browser and reveal information that websites can gather about the system, hardware, network, and identity without requiring installation or permission. It displays details such as CPU performance, GPU capabilities, memory usage, and various privacy-related metrics. The service also provides a privacy score and estimates uniqueness based on collected data.

Secure access governance for AI agents

AgentKey provides secure, on-demand access to API credentials for AI agents. Instead of storing sensitive keys in .env files, agents request credentials as needed and administrators approve each request. This prevents credentials from being hardcoded into agent implementations while maintaining proper access controls.

Bot detection system using a Bluetooth mesh network

This service detects and mitigates bot activity using an air-gapped Bluetooth mesh network. It appears to be a security solution focused on bot attacks.

High-precision detection of AI-generated voice synthesis using advanced acoustic analysis

BR-FVD is a service that verifies the authenticity of AI-synthesized voices. It offers both general and personalized models optimized for multiple speakers and specific individuals, respectively.

Secure OpenClaw execution without API key exposure

Nilbox provides an isolated VM environment for running OpenClaw with zero-token security. It blocks key exposure, restricts file access to explicitly allowed directories, filters network traffic using allowlists, and enforces API usage spending caps.

Policy management for Linux desktops

Bor enables users to define, distribute, and enforce desktop configuration policies across their fleet in real time. It is open source and designed to be secure by default, suitable for enterprise Linux environments.

API 키를 subprocess에 주입하는 로컬 우선 워크플로우

Keycard는 .env 파일과 노트 간에 API 키를 전환하는 것을 중지하도록 설계된 로컬 중심 워크플로우입니다. 빠르게 저장하고 환경별로 정리한 뒤 subprocess에 직접 주입합니다. 클라우드 없이 빠르고 집중적이며 사용자의 것입니다.

Encrypted, nothing stored, nothing repeated face-gated asset sharing.

Veylt provides encrypted asset sharing that is gated by facial detection, ensuring one-time viewing and then permanent deletion. It uses cryptographic protocols to ensure secure transmission without the need for user trust in the platform.

landdown provides simple sandboxing for shell scripts

landdown is a service that offers simple sandboxing capabilities for shell scripts, which helps protect servers from unauthorized access or malicious activities. It appears to be used for security purposes, particularly against mass scraping by AI companies that can cause website downtime.

Automated GitHub repository security scanning tool

Scans code repositories for security vulnerabilities using over 350 checks across multiple languages and technologies. Identifies potential security risks in code, dependencies, configurations, and secrets.

Open-source disposable email domain detection service

Provides a comprehensive database of over 160,000 disposable email domains for identification and filtering. Helps validate email addresses by detecting temporary or throwaway email domains.

Safely parse and classify shell commands for AI agent security

Kjell parses shell commands and classifies them as read, write, or unknown. It enables AI coding agents to automatically approve safe read commands and require confirmation for potentially destructive write commands.

Semantic taint tracking for code security analysis

Builds data flow graphs to track tainted input across functions, files, and frameworks. Performs full inter-procedural analysis for identifying potential security vulnerabilities.

Command execution safety mechanism with unexpected behavior

Provides configuration rules for restricting AI agent command execution. Evaluates command permissions by checking only the first token of compound commands.

Credit check and trust scoring system for autonomous AI agents

Provides a secure payment infrastructure for AI agents with transaction signing, trust scoring, and spend limit enforcement. Enables safe autonomous financial interactions by tracking agent behavior and preventing unauthorized transactions.

AI-powered pull request security audit tool

Performs structural analysis on code repositories to detect potential security risks and code quality issues. Scans pull requests using advanced techniques like AST analysis, clone detection, and dependency tracking.

Security scanner for AI agent tool definitions

ToolTrust Scanner detects security vulnerabilities in AI tool configurations, scanning MCP servers for potential risks like prompt injection, data exfiltration, and privilege escalation. It provides a trust grading system for tools before they are added to an AI agent's configuration.

Security-first, offline-only password vault for Android

VeilVault stores password vault data locally on your device without cloud sync or online servers. It provides offline password management with strong encryption and integrity enforcement.

npm package security verification utility

Provides security verification for npm package websites. Checks and validates web requests to protect against malicious bot activities.

Parallel file checksum generation tool

Picca is a Rust program for generating file checksums using multiple threads. It can hash files using various algorithms and verify file integrity by comparing checksums.

Privacy-first LLM proxy for enterprise and team AI access control

VoidLLM acts as a middleware between applications and LLM providers, providing organizational control and governance for AI API usage. It enables secure, tracked, and controlled access to language models through a self-hosted proxy.

A memory-safe Rust replacement for curl/libcurl

Urlx is a complete reimplementation of curl in Rust, providing HTTP/network transfer capabilities with a focus on memory safety and performance. It supports multiple protocols including HTTP, FTP, SSH, WebSocket, and more, with a compatible CLI and library interface.

GitHub repository scorecard and health monitoring tool

Analyzes GitHub repositories across security, process, and documentation dimensions. Provides comprehensive scorecards that highlight potential issues and recommended fixes for engineering teams.

Verify signed agent, API, and MCP records offline.

Agent Auditor opens any signed interaction record and displays details about who acted, what happened, and whether the proof is genuine. Users can drop a receipt file to see it decoded and verified instantly, with inspections occurring locally in either a browser or CLI.

A bare-metal forensic scanner in Rust.

Zen-Hunt is a high-performance forensic scanner designed for rapid data triage and deep-pattern hunting in large datasets. It supports various formats and offers specialized capabilities for both mechanical and modern SSD storage systems.

Under-$15 acoustic drone detection system on ESP32-S3.

Batear is an acoustic drone warning system that detects drone rotor sounds using a MEMS microphone. It operates entirely on the edge, requiring no internet connection or cloud service, making it a cost-effective solution for drone detection.

Linux fork with structural security.

DialectForge OS is designed to provide a secure operating system option with penetration-proof features. It employs a multi-tier trust model and various security mechanisms such as per-process memory encryption and USB auto-quarantine.

Investigation into exposure of military assets through fitness data.

The investigation analyzes how fitness app Strava inadvertently exposes military personnel and assets through publicly available GPS data. It highlights significant incidents and vulnerabilities associated with the use of fitness tracking devices by military members.

A sandbox and diff/apply workflow your agent can't escape.

YoloAI provides a secure environment for AI agents to operate without risking the integrity of the user's system. It employs multiple isolation modes to ensure that the agent cannot bypass security measures while allowing for a review workflow where users can see changes before applying them.

A local macOS password manager for agent workflows

Agent-password is designed to securely manage passwords for agent workflows on macOS. Secrets are encrypted and stored in a local SQLite vault, accessible via a shared session using Touch ID for authentication.

Live AIS tracking for Baltic Sea vessels.

The Baltic Shadow Fleet Tracker monitors over 1200 vessels in the Baltic Sea using real-time AIS data. It alerts users to vessel proximity to undersea cables and detects transshipment activities between Russian and Western ports.

Control layer for AI-driven payments.

AgentGuard is a governance layer for AI-driven financial operations. It evaluates intent, policy, and approval states before transactions are executed, ensuring safe and audited payment processing.

Cybersecurity tabletop exercise tool.

Cybertt provides a library of incident response scenarios for organizations to run live exercises. Users can select scenarios like ransomware outbreaks or phishing-led breaches to simulate and improve their response strategies.

Overview of age verification compliance in open source operating systems.

This service provides a comprehensive list of open source operating systems and their status regarding age verification laws in various jurisdictions. It includes information on which systems comply, do not comply, or are planning to implement such measures.

A 'sudo' wrapper for AI agents with auto Git snapshots.

Node9 provides a security layer for autonomous AI agents, intercepting potentially dangerous commands before they execute. It also allows users to revert AI changes with Git snapshots, enhancing safety and control during automated processes.

Tool to visualize CVE attack chains

This tool allows users to enter a CVE ID and visualize the attack chain associated with that vulnerability. It fetches live data to provide a comprehensive analysis of the vulnerabilities' real-world impact and exploitation methods.

Security proxy for MCP agent protocols

MCPSaaS provides end-to-end security for AI agents by implementing a zero trust model. It verifies message integrity, protects against replay attacks, and ensures agent identity through a simplified configuration change.

A security camera for your AI agent.

CameraClaw provides a sandbox for AI agents with monitoring features. It captures console output, network activity, and other metrics to ensure security and transparency during the agent's operation.

Detect compromised AI agents using fake credentials.

Snare detects hijacked AI agents before they can make AWS API calls by planting fake credentials in their environment. When a compromised agent attempts to use these credentials, Snare triggers an alert, providing immediate notification of the breach.