Quarantine system for AI agent downloads. Files go to a removable drive jail, an LLM reviews them, safe files pass, dangerous files get deleted. If delete fails, the drive gets ejected. Hardware-backed security for $20/month or free with local LLMs.
A file quarantine system that protects your PC from files downloaded by AI agents. Uses a removable drive (SD card, USB stick) as an air-gapped jail - if anything goes wrong, eject the drive and the threat is physically gone.
We called it SuperSafe because that's what it does - it makes your AI agent SuperSafe to use on your PC.
This is the first public source-available release from A Generation Forwordz Foundation (501c3). We built this because we needed it, and we're sharing it because you probably need it too. If you're running AI agents that can download files to your machine, this is for you.
We'd love constructive feedback - issues, pull requests, ideas, criticism. This is v1 and we know it can be better. Help us make it better.
Security Notice: SuperSafe is a defense-in-depth layer, not a replacement for antivirus, endpoint protection, or OS security features. Use it alongside Windows Defender, SmartScreen, and your existing security stack. No security tool can guarantee zero risk.
AI coding agents like Claude Code, Codex, Aider, and autonomous agents built with frameworks like AutoGen or CrewAI can browse the web, call APIs, and download files to your machine. That's powerful - but it means an agent might download something you didn't ask for, or a file that isn't what it claims to be.
Most people either trust the agent completely (risky) or disable downloads entirely (limiting). This project gives you a middle ground: let the agent download, but quarantine every file for review before it touches your real filesystem.
YOUR AI AGENT YOUR PC REMOVABLE DRIVE
(any agent that (staging folder (SD card / USB)
downloads files) watched by script)
| | |
| downloads file | |
+-----> [ staging/file.exe ] --->| |
(lands here first) | |
| INSTANTLY moved
+--------------------> [ quarantine/file.exe ]
(now on removable drive)
|
|
|
LLM REVIEW (Claude Code)
(reads file metadata,
checks name, size, hash)
|
+-------+-------+
| |
SAFE DANGEROUS
| |
move to delete from
approved/ quarantine
|
if delete fails:
EJECT THE DRIVE ---------> X
(threat is gone) |
| |
if eject fails: |
FORMAT THE DRIVE ---------> X
(threat is destroyed) |
| |
if format fails: |
UNPLUG MANUALLY ---------> X
Software deletion can fail. A process might lock the file. Permissions might block removal. Malware might resist deletion.
But you know what can't resist being physically unplugged?
A USB stick.
The whole point is that you don't have to do anything. The system handles everything automatically - detect, quarantine, review, delete. You just see the verdict logs afterward. The escalation chain is: delete → eject → format → unplug. The first three are fully automatic. Only if all three fail (which would be extremely rare) does a human need to physically pull the drive. At every level, the threat is neutralized.
The removable drive also puts old USB sticks and SD cards back to work. Instead of sitting in a drawer collecting dust, they become an active part of your security setup. Think of it as recycling - hardware you already own, doing a job that software alone can't guarantee.
SuperSafe reviews all file types, not just executables. The LLM reviewer uses different rules depending on what kind of file it sees:
Executables (.exe, .msi, .bat, .cmd, .ps1, .vbs, .js, .scr, .com) - Strict review. Must match a known company, correct spelling, reasonable size. This is where most threats live.
Documents (.txt, .csv, .pdf, .json, .xml, .md, .log, .html, .yaml, .toml, .ini, .cfg) - Light review. These are generally safe. Flagged only if they have suspicious names, double extensions (report.pdf.exe), or abnormal sizes.
Archives (.zip, .rar, .7z, .tar, .gz) - Moderate review. Checked for descriptive filenames and known sources. Random-named archives get flagged.
The known_safe_companies list in config is guidance for the LLM, not a hard restriction. Smart reviewers like Claude Code already know what's legitimate - the list helps smaller local models (running via Ollama) make better decisions.
An AI agent is any software that uses a large language model (LLM) to autonomously perform tasks on your computer. Unlike a chatbot that just talks to you, an agent can:
- Execute shell commands on your machine
- Browse the web and interact with websites
- Download files from the internet
- Read and write files on your filesystem
- Call APIs and interact with external services
Examples include:
- Claude Code / Codex CLI - AI coding assistants that run in your terminal
- Custom agents built with AutoGen, CrewAI, LangChain, or similar frameworks
- Browser agents that navigate web pages and download content
- Telegram/Discord bots backed by LLMs with tool access
The agent might download a file because you asked it to ("install Spotify"), or it might download something as part of a larger task you requested. Either way, you want a human-in-the-loop (or at minimum, a second LLM review) before that file gets anywhere near your system.
================================================
SECURITY GATE - AI QUARANTINE WATCHER
================================================
Staging: C:\MyAgent\quarantine
Jail: F:\incoming
Approved: C:\MyAgent\downloads-approved
Verdicts: C:\MyAgent\verdict-logs
Watching... (Ctrl+C to stop)
!!! NEW FILE DETECTED !!!
File: SpotifySetup.exe
Detected: 2025-01-15 14:32:07.421
[1] 14:32:07.425 - Moving to quarantine drive...
14:32:07.512 - Isolated: F:\incoming\SpotifySetup_20250115-143207-512.exe
[2] 14:32:07.514 - Hashing file...
14:32:07.891 - Hash complete
Size: 1.24 MB | Type: .exe
SHA256: 3a7bd3e2360a3d29eea436fcfb7e44c735d117c42d1c1835420b6b9942dd4f1b
[3] 14:32:07.893 - Launching LLM reviewer...
14:32:12.104 - [VERDICT SOURCE] LLM stdout
[4] 14:32:12.106 - VERDICT: SAFE: SpotifySetup.exe - Spotify, legitimate music streaming installer
14:32:12.108 - [LOG] Verdict saved: C:\MyAgent\verdict-logs\2025-01-15_14-32-12-104_SpotifySetup.exe.txt
[5] 14:32:12.110 - [ACTION] SAFE - Moving to approved...
14:32:12.247 - Moved to: C:\MyAgent\downloads-approved\SpotifySetup.exe
Watching for next file...
!!! NEW FILE DETECTED !!!
File: Discrod-Setup.exe
Detected: 2025-01-16 09:15:42.318
[1] 09:15:42.322 - Moving to quarantine drive...
09:15:42.410 - Isolated: F:\incoming\Discrod-Setup_20250116-091542-410.exe
[2] 09:15:42.412 - Hashing file...
09:15:42.987 - Hash complete
Size: 78.5 MB | Type: .exe
SHA256: f1e2d3c4b5a6f7e8d9c0b1a2f3e4d5c6b7a8f9e0d1c2b3a4f5e6d7c8b9a0f1e2
[3] 09:15:42.989 - Launching LLM reviewer...
09:15:47.553 - [VERDICT SOURCE] LLM stdout
[4] 09:15:47.555 - VERDICT: DANGEROUS: Discrod-Setup.exe - Misspelled company name (Discord vs Discrod), likely typosquatted malware
09:15:47.557 - [LOG] Verdict saved: C:\MyAgent\verdict-logs\2025-01-16_09-15-47-553_Discrod-Setup.exe.txt
[5] 09:15:47.559 - [ACTION] DANGEROUS - Deleting from quarantine...
09:15:47.612 - DELETED: Discrod-Setup.exe
Watching for next file...
This system was born from a real production setup, not a theoretical exercise. Here's what we're actually running:
Nova is an autonomous AI agent running on the OpenClaw framework. She operates inside a Docker container and communicates through Telegram as her primary interface. When you talk to Nova on Telegram, she can browse the web, search for information, read documents, and yes - download files.
Nova's brain:
- Primary model: GPT-OSS Tools 20B - a 20 billion parameter open source model running locally through Ollama
- Fallback models: Qwen 2.5 14B (local), Qwen 2.5 7B (local), Qwen 3 80B via OpenRouter (cloud, free tier)
- All local inference - the primary model runs entirely on a laptop GPU (NVIDIA RTX 5080, 16GB VRAM). No cloud API costs for day-to-day operation.
Nova's sandbox:
- Runs in a Docker container isolated to a single drive - she cannot touch the OS drive at all
- All internet traffic goes through a Squid proxy with domain whitelisting (only approved sites)
- Has her own SearXNG search engine instance (self-hosted, no API keys)
- Limited to 16GB RAM, 4 CPU cores, 200 max processes
- No ports exposed to the network - fully internal Docker networking
Why SuperSafe exists: The long-term goal is to run Nova directly on the PC without a Docker container - like a personal Jarvis. But we weren't about to just remove the container and hope for the best. SuperSafe was built so that when Nova eventually runs free on the system, there's still a hardware-backed safety net between her downloads and the rest of the PC. Old USB drives and SD cards that were collecting dust become the backbone of that safety net - recycling meets security.
The problem we solved: Nova can download files from the internet as part of her tasks. But she's an AI - she could be tricked by a malicious website, or download something that looks legitimate but isn't. We needed a way to let her download freely while keeping the PC safe. Right now Docker provides one layer of isolation, but SuperSafe provides another that works whether Docker is there or not. That's this project.
This entire system - the quarantine scripts, the config architecture, the open source packaging, this README - was built using Claude Code (Anthropic's CLI tool for software development). Nacho designed the architecture, directed every decision, and reviewed all output. Claude Code wrote the code under that direction. No code went in without human review, approval and testing.
Claude Code also serves as the file reviewer in production. When Nova downloads something, the watcher script pipes a review prompt to Claude Code, which analyzes the file metadata and outputs a verdict: SAFE or DANGEROUS. The watcher script then enforces that verdict - moving approved files or deleting dangerous ones.
If you're running a similar architecture - a Docker-based AI agent with local LLMs, using Claude Code for development - this should be pretty straightforward to adapt to your setup. The config file lets you plug in your own paths and your own reviewer.
You can run this entire system for $20/month or completely free depending on which LLM reviewer you choose.
| Component | Cost |
|---|---|
| SuperSafe scripts | Free (this repo) |
| Windows + PowerShell | Free (already on your PC) |
| Old USB stick or SD card | Free (you probably have one in a drawer) |
| LLM Reviewer (Option A): Claude Code Plus | $20/month |
| LLM Reviewer (Option B): Ollama with a local model | Free (runs on your GPU) |
In production, we use Claude Code Plus ($20/month) as the reviewer. It's the same Claude Code you use for development - the watcher just pipes a prompt to it and reads the verdict. You don't need a separate API key or credits. If you already have Claude Code for coding, you already have the reviewer.
If you want to run it for $0/month, use Ollama with a local model like Llama 3.1 or Qwen 2.5. It runs entirely on your GPU, no cloud needed. The watcher works the same way - it just pipes the prompt to ollama run instead of claude -p.
- Windows 10/11 with PowerShell 5.1+ (macOS/Linux support planned)
- A removable drive - SD card, USB flash drive, or any ejectable media (must be NTFS formatted for execute lockdown)
- An LLM CLI tool for file review - any of these work:
- Claude Code (
claude -p) - $20/month with Claude Code Plus - Codex CLI with prompt mode
- Ollama with a local model - free, runs on your GPU
- Any CLI tool that accepts a text prompt and outputs text
- Claude Code (
Windows blocks .ps1 scripts by default. Open PowerShell as Administrator and run:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUserThis only needs to be done once.
git clone https://github.com/agenerationforwordz-tech/supersafe.git
cd supersafe
Make sure it's formatted as NTFS (required for the execute-lockdown to work). Create an incoming folder on it (e.g., F:\incoming). If your drive is FAT32/exFAT, convert it with convert F: /fs:ntfs (no data loss) or reformat as NTFS in File Explorer.
Copy-Item config.example.json config.json
notepad config.jsonFill in your actual paths:
{
"staging_folder": "C:\\MyAgent\\quarantine",
"quarantine_drive": "F:\\incoming",
"approved_folder": "C:\\MyAgent\\downloads-approved",
"verdict_log_folder": "C:\\MyAgent\\verdict-logs",
"emergency_eject_drive": "F",
"security_log": "C:\\MyAgent\\logs\\security-events.log",
"reviewer_command": "claude -p --permission-mode bypassPermissions",
"reviewer_working_dir": "C:\\MyAgent",
...
}# Right-click PowerShell -> Run as Administrator
.\scripts\lockdown-drive.ps1This prevents any file on the quarantine drive from being executed. Files can still be read, moved, and deleted - but never run.
.\scripts\security-gate-watcher.ps1In a second terminal, run:
.\scripts\test-setup.ps1This drops a safe test file (SpotifySetup.exe) and a dangerous test file (Steamm-Crack-Activator.exe) into your staging folder. Watch the watcher terminal - the safe file should pass and the dangerous one should get deleted.
Now point your AI agent's download directory to the staging_folder path. Every file that lands there will be instantly moved to the quarantine drive, reviewed by your LLM, and either approved or destroyed.
| Field | Description |
|---|---|
staging_folder |
Where your AI agent downloads files to. The watcher monitors this folder. |
quarantine_drive |
Path on the removable drive where files are isolated for review. |
approved_folder |
Where safe files are moved after passing review. |
verdict_log_folder |
Where verdict logs are saved (one per file reviewed). |
emergency_eject_drive |
Drive letter of the removable drive (just the letter, no colon). |
security_log |
Path to the security events log file. |
reviewer_command |
The CLI command to invoke your LLM reviewer. Must accept piped input. |
reviewer_working_dir |
Working directory for the reviewer process. |
known_safe_companies |
List of company names the reviewer uses as guidance (not a hard restriction). |
min_safe_size_kb |
Files smaller than this (in KB) are flagged as suspicious droppers. |
max_safe_size_mb |
Files larger than this (in MB) are flagged as unusually large. |
Point your agent's download directory to the staging_folder. How you do this depends on your agent:
Claude Code / Codex CLI: Tell the agent in its system prompt or instructions to save all downloads to the staging folder.
Custom agents (AutoGen, CrewAI, LangChain): Configure the agent's file output directory to the staging folder path.
Docker-based agents: Mount the staging folder as a volume:
docker run -v C:\MyAgent\quarantine:/downloads your-agent
Browser agents: Set the browser's download directory to the staging folder.
The key is: no matter what agent you use, all downloads funnel through the same staging folder, and the watcher catches everything.
The reviewer_command field in config.json controls which LLM reviews files. The command must accept a prompt via piped stdin and output its verdict to stdout.
The watcher captures the LLM's stdout and looks for a line starting with SAFE or DANGEROUS. The LLM does NOT need to move, delete, or write any files - it just needs to output a one-line verdict. The watcher handles all file operations.
Claude Code (recommended):
"reviewer_command": "claude -p --permission-mode bypassPermissions"Why bypassPermissions? The watcher runs unattended - without this flag, Claude Code would stop and ask for permission on every single file review, which breaks the automated pipeline. This is safe because the quarantine drive already has execute-denied via NTFS ACLs, so the reviewer can only read file metadata, not run anything.
Claude Code can also write the verdict to a file directly. The watcher checks for that first, then falls back to stdout parsing.
Ollama (local, free):
"reviewer_command": "ollama run llama3.1"Works out of the box. The watcher captures Ollama's text output and parses the verdict from it. Use a model with good instruction-following (7B+ recommended).
Any CLI tool: As long as it reads from stdin and prints text to stdout, it works. The watcher sends a prompt describing the file and parses the first line containing SAFE or DANGEROUS from the output.
- Files never touch your real filesystem until approved
- Files on the quarantine drive cannot be executed (after running lockdown-drive.ps1)
- If deletion fails, the drive is ejected; if ejection fails, the drive is formatted; if that fails, manual unplug
- Every file gets a SHA256 hash and full verdict log
- The watcher (not the LLM) enforces the verdict - the LLM outputs "SAFE" or "DANGEROUS", but it's the PowerShell script that actually moves or deletes
Here's the real-world timeline from a live test, measured in milliseconds:
Detected: 20:04:30.867 - file lands in staging
Isolated: 20:04:32.071 - file is now on the locked-down SD card
That's a 1.2 second window where the file exists in the staging folder. After that, it's on the quarantine drive where NTFS ACLs deny execute permission for all users - the file physically cannot run itself.
Here's what each phase looks like:
| Phase | Duration | Can the file execute? |
|---|---|---|
| Staging folder | ~1-2 seconds | Theoretically, but staging is on an isolated drive (Docker workspace) |
| Quarantine drive | Until verdict | No - execute denied via NTFS ACL (lockdown-drive.ps1) |
| After DANGEROUS verdict | Immediate | Deleted, or drive ejected, or drive formatted |
Even in that 1-2 second staging window, the file would need to somehow trigger itself without user interaction, from inside a folder that isn't in any system PATH, on a drive that's typically restricted to a Docker container. And if your staging folder is on the same drive as your OS, you can use a RAM disk or separate partition to further reduce risk.
The LLM reviewer is surprisingly effective at catching the most common ways people actually get infected:
It WILL catch:
- Typosquatted names (Discrod, Steamm, Mcrosoft, Whatsap)
- Cracks, keygens, activators, and patches ("Office-Activator.exe", "Steam-Crack.exe")
- Random gibberish filenames (a8f3x.exe, tmp29dk.exe)
- Suspiciously small executables (under 100KB - likely a dropper/stub)
- Double extensions hiding executables (report.pdf.exe, photo.jpg.scr)
- Unusually large files for their type
- Unknown or unrecognizable sources
These are the attacks that actually trick people every day - fake downloads, social engineering, phishing links that drop typosquatted installers. The LLM is excellent at spotting these because they rely on fooling humans, not software.
It will NOT catch:
- A file that looks completely legitimate in every way (correct name, correct size, correct type) but has malicious code hidden inside the binary. The LLM reviews metadata, not file contents - it's not antivirus.
That's why SuperSafe is one layer in a stack, not a replacement for antivirus. Windows Defender, SmartScreen, and your antivirus still scan anything that reaches the approved folder. SuperSafe catches the obvious fakes before they even get that far.
- The watcher script needs permissions to move/delete files on the quarantine drive
This system is designed as one layer in a multi-layer security approach:
- Agent sandboxing - Docker containers, restricted file access
- Quarantine gate - This project (file-level review before approval)
- OS-level protection - Windows Defender, SmartScreen, UAC
- Network-level - Proxy filtering, firewall rules
Every reviewed file produces a verdict log in the verdict_log_folder:
================================================================================
QUARANTINE VERDICT LOG
================================================================================
FILE: SpotifySetup.exe
SHA256: a1b2c3d4e5f6...
SIZE: 1.24 MB
TYPE: .exe
TIME: 2025-01-15 14:32:07.421
VERDICT: SAFE: SpotifySetup.exe - Spotify, legitimate installer
================================================================================
Logs are named with timestamp and filename: 2025-01-15_14-32-12-104_SpotifySetup.exe.txt
| Script | Purpose | Requires Admin? |
|---|---|---|
security-gate-watcher.ps1 |
Main watcher - monitors staging, quarantines, reviews, enforces | No |
emergency-eject.ps1 |
Ejects or formats the quarantine drive in an emergency | Partial (format needs Admin) |
lockdown-drive.ps1 |
Denies execute permissions on the quarantine drive | Yes |
test-setup.ps1 |
Drops test files to verify your setup works end-to-end | No |
"Running scripts is disabled on this system"
Run Set-ExecutionPolicy RemoteSigned -Scope CurrentUser in PowerShell as Administrator. See Quick Start step 1.
"config.json not found"
Copy config.example.json to config.json in the repo root and fill in your paths.
"Quarantine drive not mounted"
Plug in your removable drive and make sure the quarantine_drive path exists (e.g., create F:\incoming).
"This script must be run as Administrator"
Right-click PowerShell and select "Run as Administrator" before running lockdown-drive.ps1.
"Drive is formatted as FAT32/exFAT"
The lockdown script requires NTFS to set execute-deny permissions. Convert with convert F: /fs:ntfs (no data loss) or reformat as NTFS in File Explorer (erases data).
Watcher doesn't see files
Make sure your agent is saving to the exact staging_folder path in config.json. The watcher ignores .tmp, .crdownload, .partial, and desktop.ini files.
"Reviewer command not found"
The watcher checks that your LLM CLI tool exists before starting. Install it (npm install -g @anthropic-ai/claude-code for Claude Code, or download Ollama from ollama.com) and make sure it's in your system PATH.
LLM doesn't produce a verdict
Check that reviewer_command is correct and the LLM CLI tool is installed and in your PATH. The watcher looks for a line starting with SAFE or DANGEROUS in the LLM's output. If using Claude Code, it can also write the verdict to a file on the quarantine drive.
Drive won't eject The script automatically tries three methods: Shell eject, mountvol eject, then full format. If all three fail, close all programs using the drive and physically unplug it.
This is our first source-available project. We're learning as we go.
If you're running AI agents and dealing with similar trust problems, we want to hear from you. Open an issue, submit a PR, or just tell us what we got wrong. Constructive criticism makes this better for everyone.
Some areas we know could use improvement:
- Linux/macOS support (currently Windows-only)
- Binary content analysis (currently metadata-only review)
- VirusTotal API integration for hash checking
- Support for reviewing multiple files in parallel
- A web dashboard for verdict history
Built by Nacho / A Generation Forwordz Foundation (501c3).
Built using Claude Code (Anthropic's CLI tool) under Nacho's design and direction. Every script, config, and doc was human-reviewed before it went in.
Born from running Nova - an autonomous AI agent powered by a 20B parameter open source model on local hardware - and needing a way to trust-but-verify every file she downloads. The SD card air gap was the key insight: if software fails, hardware wins.
PolyForm Noncommercial 1.0.0
This project is source-available for noncommercial use. The full source code is here for you to use, learn from, modify, and share - but you cannot sell it or use it commercially. This is not an OSI-approved open source license, and we're upfront about that. We chose PolyForm Noncommercial because it was written specifically for software (unlike Creative Commons, which was designed for creative content). It clearly covers source code, dependencies, and distribution without the ambiguity that CC licenses have when applied to code.
Use it, improve it, share it, learn from it. Keep it free, give credit. Do not sell it.
See LICENSE for details.