Skip to content

agenerationforwordz-tech/supersafe

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SuperSafe

Quarantine system for AI agent downloads. Files go to a removable drive jail, an LLM reviews them, safe files pass, dangerous files get deleted. If delete fails, the drive gets ejected. Hardware-backed security for $20/month or free with local LLMs.

A file quarantine system that protects your PC from files downloaded by AI agents. Uses a removable drive (SD card, USB stick) as an air-gapped jail - if anything goes wrong, eject the drive and the threat is physically gone.

We called it SuperSafe because that's what it does - it makes your AI agent SuperSafe to use on your PC.

This is the first public source-available release from A Generation Forwordz Foundation (501c3). We built this because we needed it, and we're sharing it because you probably need it too. If you're running AI agents that can download files to your machine, this is for you.

We'd love constructive feedback - issues, pull requests, ideas, criticism. This is v1 and we know it can be better. Help us make it better.

Security Notice: SuperSafe is a defense-in-depth layer, not a replacement for antivirus, endpoint protection, or OS security features. Use it alongside Windows Defender, SmartScreen, and your existing security stack. No security tool can guarantee zero risk.

The Problem

AI coding agents like Claude Code, Codex, Aider, and autonomous agents built with frameworks like AutoGen or CrewAI can browse the web, call APIs, and download files to your machine. That's powerful - but it means an agent might download something you didn't ask for, or a file that isn't what it claims to be.

Most people either trust the agent completely (risky) or disable downloads entirely (limiting). This project gives you a middle ground: let the agent download, but quarantine every file for review before it touches your real filesystem.

How It Works

 YOUR AI AGENT                    YOUR PC                      REMOVABLE DRIVE
 (any agent that                  (staging folder               (SD card / USB)
  downloads files)                 watched by script)

     |                                |                              |
     | downloads file                 |                              |
     +-----> [ staging/file.exe ] --->|                              |
             (lands here first)       |                              |
                                      |                         INSTANTLY moved
                                      +--------------------> [ quarantine/file.exe ]
                                                            (now on removable drive)
                                                                     |
                                                                     |
                                                                     |
                                                               LLM REVIEW (Claude Code)
                                                              (reads file metadata,
                                                               checks name, size, hash)
                                                                     |
                                                             +-------+-------+
                                                             |               |
                                                           SAFE           DANGEROUS
                                                             |               |
                                                         move to          delete from
                                                         approved/        quarantine
                                                                             |
                                                                        if delete fails:
                                                                        EJECT THE DRIVE  ---------> X
                                                                        (threat is gone)            |
                                                                             |                      |
                                                                        if eject fails:             |
                                                                        FORMAT THE DRIVE ---------> X
                                                                        (threat is destroyed)       |
                                                                             |                      |
                                                                        if format fails:            |
                                                                        UNPLUG MANUALLY  ---------> X

Why a Removable Drive?

Software deletion can fail. A process might lock the file. Permissions might block removal. Malware might resist deletion.

But you know what can't resist being physically unplugged?

A USB stick.

The whole point is that you don't have to do anything. The system handles everything automatically - detect, quarantine, review, delete. You just see the verdict logs afterward. The escalation chain is: delete → eject → format → unplug. The first three are fully automatic. Only if all three fail (which would be extremely rare) does a human need to physically pull the drive. At every level, the threat is neutralized.

The removable drive also puts old USB sticks and SD cards back to work. Instead of sitting in a drawer collecting dust, they become an active part of your security setup. Think of it as recycling - hardware you already own, doing a job that software alone can't guarantee.

What It Reviews

SuperSafe reviews all file types, not just executables. The LLM reviewer uses different rules depending on what kind of file it sees:

Executables (.exe, .msi, .bat, .cmd, .ps1, .vbs, .js, .scr, .com) - Strict review. Must match a known company, correct spelling, reasonable size. This is where most threats live.

Documents (.txt, .csv, .pdf, .json, .xml, .md, .log, .html, .yaml, .toml, .ini, .cfg) - Light review. These are generally safe. Flagged only if they have suspicious names, double extensions (report.pdf.exe), or abnormal sizes.

Archives (.zip, .rar, .7z, .tar, .gz) - Moderate review. Checked for descriptive filenames and known sources. Random-named archives get flagged.

The known_safe_companies list in config is guidance for the LLM, not a hard restriction. Smart reviewers like Claude Code already know what's legitimate - the list helps smaller local models (running via Ollama) make better decisions.

What Is an "AI Agent" in This Context?

An AI agent is any software that uses a large language model (LLM) to autonomously perform tasks on your computer. Unlike a chatbot that just talks to you, an agent can:

  • Execute shell commands on your machine
  • Browse the web and interact with websites
  • Download files from the internet
  • Read and write files on your filesystem
  • Call APIs and interact with external services

Examples include:

  • Claude Code / Codex CLI - AI coding assistants that run in your terminal
  • Custom agents built with AutoGen, CrewAI, LangChain, or similar frameworks
  • Browser agents that navigate web pages and download content
  • Telegram/Discord bots backed by LLMs with tool access

The agent might download a file because you asked it to ("install Spotify"), or it might download something as part of a larger task you requested. Either way, you want a human-in-the-loop (or at minimum, a second LLM review) before that file gets anywhere near your system.

Example: What It Looks Like

A file PASSES review (SAFE)

================================================
  SECURITY GATE - AI QUARANTINE WATCHER
================================================

  Staging:  C:\MyAgent\quarantine
  Jail:     F:\incoming
  Approved: C:\MyAgent\downloads-approved
  Verdicts: C:\MyAgent\verdict-logs

  Watching... (Ctrl+C to stop)

!!! NEW FILE DETECTED !!!
    File: SpotifySetup.exe
    Detected: 2025-01-15 14:32:07.421
[1] 14:32:07.425 - Moving to quarantine drive...
    14:32:07.512 - Isolated: F:\incoming\SpotifySetup_20250115-143207-512.exe
[2] 14:32:07.514 - Hashing file...
    14:32:07.891 - Hash complete
    Size: 1.24 MB | Type: .exe
    SHA256: 3a7bd3e2360a3d29eea436fcfb7e44c735d117c42d1c1835420b6b9942dd4f1b
[3] 14:32:07.893 - Launching LLM reviewer...

    14:32:12.104 - [VERDICT SOURCE] LLM stdout
[4] 14:32:12.106 - VERDICT: SAFE: SpotifySetup.exe - Spotify, legitimate music streaming installer
    14:32:12.108 - [LOG] Verdict saved: C:\MyAgent\verdict-logs\2025-01-15_14-32-12-104_SpotifySetup.exe.txt
[5] 14:32:12.110 - [ACTION] SAFE - Moving to approved...
    14:32:12.247 - Moved to: C:\MyAgent\downloads-approved\SpotifySetup.exe

Watching for next file...

A file FAILS review (DANGEROUS)

!!! NEW FILE DETECTED !!!
    File: Discrod-Setup.exe
    Detected: 2025-01-16 09:15:42.318
[1] 09:15:42.322 - Moving to quarantine drive...
    09:15:42.410 - Isolated: F:\incoming\Discrod-Setup_20250116-091542-410.exe
[2] 09:15:42.412 - Hashing file...
    09:15:42.987 - Hash complete
    Size: 78.5 MB | Type: .exe
    SHA256: f1e2d3c4b5a6f7e8d9c0b1a2f3e4d5c6b7a8f9e0d1c2b3a4f5e6d7c8b9a0f1e2
[3] 09:15:42.989 - Launching LLM reviewer...

    09:15:47.553 - [VERDICT SOURCE] LLM stdout
[4] 09:15:47.555 - VERDICT: DANGEROUS: Discrod-Setup.exe - Misspelled company name (Discord vs Discrod), likely typosquatted malware
    09:15:47.557 - [LOG] Verdict saved: C:\MyAgent\verdict-logs\2025-01-16_09-15-47-553_Discrod-Setup.exe.txt
[5] 09:15:47.559 - [ACTION] DANGEROUS - Deleting from quarantine...
    09:15:47.612 - DELETED: Discrod-Setup.exe

Watching for next file...

The Setup That Built This

This system was born from a real production setup, not a theoretical exercise. Here's what we're actually running:

Nova - The AI Agent

Nova is an autonomous AI agent running on the OpenClaw framework. She operates inside a Docker container and communicates through Telegram as her primary interface. When you talk to Nova on Telegram, she can browse the web, search for information, read documents, and yes - download files.

Nova's brain:

  • Primary model: GPT-OSS Tools 20B - a 20 billion parameter open source model running locally through Ollama
  • Fallback models: Qwen 2.5 14B (local), Qwen 2.5 7B (local), Qwen 3 80B via OpenRouter (cloud, free tier)
  • All local inference - the primary model runs entirely on a laptop GPU (NVIDIA RTX 5080, 16GB VRAM). No cloud API costs for day-to-day operation.

Nova's sandbox:

  • Runs in a Docker container isolated to a single drive - she cannot touch the OS drive at all
  • All internet traffic goes through a Squid proxy with domain whitelisting (only approved sites)
  • Has her own SearXNG search engine instance (self-hosted, no API keys)
  • Limited to 16GB RAM, 4 CPU cores, 200 max processes
  • No ports exposed to the network - fully internal Docker networking

Why SuperSafe exists: The long-term goal is to run Nova directly on the PC without a Docker container - like a personal Jarvis. But we weren't about to just remove the container and hope for the best. SuperSafe was built so that when Nova eventually runs free on the system, there's still a hardware-backed safety net between her downloads and the rest of the PC. Old USB drives and SD cards that were collecting dust become the backbone of that safety net - recycling meets security.

The problem we solved: Nova can download files from the internet as part of her tasks. But she's an AI - she could be tricked by a malicious website, or download something that looks legitimate but isn't. We needed a way to let her download freely while keeping the PC safe. Right now Docker provides one layer of isolation, but SuperSafe provides another that works whether Docker is there or not. That's this project.

Claude Code - The Build Tool and Reviewer

This entire system - the quarantine scripts, the config architecture, the open source packaging, this README - was built using Claude Code (Anthropic's CLI tool for software development). Nacho designed the architecture, directed every decision, and reviewed all output. Claude Code wrote the code under that direction. No code went in without human review, approval and testing.

Claude Code also serves as the file reviewer in production. When Nova downloads something, the watcher script pipes a review prompt to Claude Code, which analyzes the file metadata and outputs a verdict: SAFE or DANGEROUS. The watcher script then enforces that verdict - moving approved files or deleting dangerous ones.

If you're running a similar architecture - a Docker-based AI agent with local LLMs, using Claude Code for development - this should be pretty straightforward to adapt to your setup. The config file lets you plug in your own paths and your own reviewer.

What It Costs

You can run this entire system for $20/month or completely free depending on which LLM reviewer you choose.

Component Cost
SuperSafe scripts Free (this repo)
Windows + PowerShell Free (already on your PC)
Old USB stick or SD card Free (you probably have one in a drawer)
LLM Reviewer (Option A): Claude Code Plus $20/month
LLM Reviewer (Option B): Ollama with a local model Free (runs on your GPU)

In production, we use Claude Code Plus ($20/month) as the reviewer. It's the same Claude Code you use for development - the watcher just pipes a prompt to it and reads the verdict. You don't need a separate API key or credits. If you already have Claude Code for coding, you already have the reviewer.

If you want to run it for $0/month, use Ollama with a local model like Llama 3.1 or Qwen 2.5. It runs entirely on your GPU, no cloud needed. The watcher works the same way - it just pipes the prompt to ollama run instead of claude -p.

Requirements

  • Windows 10/11 with PowerShell 5.1+ (macOS/Linux support planned)
  • A removable drive - SD card, USB flash drive, or any ejectable media (must be NTFS formatted for execute lockdown)
  • An LLM CLI tool for file review - any of these work:
    • Claude Code (claude -p) - $20/month with Claude Code Plus
    • Codex CLI with prompt mode
    • Ollama with a local model - free, runs on your GPU
    • Any CLI tool that accepts a text prompt and outputs text

Quick Start

1. Allow PowerShell scripts (one-time)

Windows blocks .ps1 scripts by default. Open PowerShell as Administrator and run:

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

This only needs to be done once.

2. Clone this repo

git clone https://github.com/agenerationforwordz-tech/supersafe.git
cd supersafe

3. Plug in your removable drive

Make sure it's formatted as NTFS (required for the execute-lockdown to work). Create an incoming folder on it (e.g., F:\incoming). If your drive is FAT32/exFAT, convert it with convert F: /fs:ntfs (no data loss) or reformat as NTFS in File Explorer.

4. Copy and edit the config

Copy-Item config.example.json config.json
notepad config.json

Fill in your actual paths:

{
  "staging_folder": "C:\\MyAgent\\quarantine",
  "quarantine_drive": "F:\\incoming",
  "approved_folder": "C:\\MyAgent\\downloads-approved",
  "verdict_log_folder": "C:\\MyAgent\\verdict-logs",
  "emergency_eject_drive": "F",
  "security_log": "C:\\MyAgent\\logs\\security-events.log",
  "reviewer_command": "claude -p --permission-mode bypassPermissions",
  "reviewer_working_dir": "C:\\MyAgent",
  ...
}

5. Lock down the quarantine drive (one-time, run as Admin)

# Right-click PowerShell -> Run as Administrator
.\scripts\lockdown-drive.ps1

This prevents any file on the quarantine drive from being executed. Files can still be read, moved, and deleted - but never run.

6. Start the watcher

.\scripts\security-gate-watcher.ps1

7. Test it (optional but recommended)

In a second terminal, run:

.\scripts\test-setup.ps1

This drops a safe test file (SpotifySetup.exe) and a dangerous test file (Steamm-Crack-Activator.exe) into your staging folder. Watch the watcher terminal - the safe file should pass and the dangerous one should get deleted.

Now point your AI agent's download directory to the staging_folder path. Every file that lands there will be instantly moved to the quarantine drive, reviewed by your LLM, and either approved or destroyed.

Configuration Reference

Field Description
staging_folder Where your AI agent downloads files to. The watcher monitors this folder.
quarantine_drive Path on the removable drive where files are isolated for review.
approved_folder Where safe files are moved after passing review.
verdict_log_folder Where verdict logs are saved (one per file reviewed).
emergency_eject_drive Drive letter of the removable drive (just the letter, no colon).
security_log Path to the security events log file.
reviewer_command The CLI command to invoke your LLM reviewer. Must accept piped input.
reviewer_working_dir Working directory for the reviewer process.
known_safe_companies List of company names the reviewer uses as guidance (not a hard restriction).
min_safe_size_kb Files smaller than this (in KB) are flagged as suspicious droppers.
max_safe_size_mb Files larger than this (in MB) are flagged as unusually large.

Using With Your AI Agent

Point your agent's download directory to the staging_folder. How you do this depends on your agent:

Claude Code / Codex CLI: Tell the agent in its system prompt or instructions to save all downloads to the staging folder.

Custom agents (AutoGen, CrewAI, LangChain): Configure the agent's file output directory to the staging folder path.

Docker-based agents: Mount the staging folder as a volume:

docker run -v C:\MyAgent\quarantine:/downloads your-agent

Browser agents: Set the browser's download directory to the staging folder.

The key is: no matter what agent you use, all downloads funnel through the same staging folder, and the watcher catches everything.

Using With Different LLMs

The reviewer_command field in config.json controls which LLM reviews files. The command must accept a prompt via piped stdin and output its verdict to stdout.

The watcher captures the LLM's stdout and looks for a line starting with SAFE or DANGEROUS. The LLM does NOT need to move, delete, or write any files - it just needs to output a one-line verdict. The watcher handles all file operations.

Claude Code (recommended):

"reviewer_command": "claude -p --permission-mode bypassPermissions"

Why bypassPermissions? The watcher runs unattended - without this flag, Claude Code would stop and ask for permission on every single file review, which breaks the automated pipeline. This is safe because the quarantine drive already has execute-denied via NTFS ACLs, so the reviewer can only read file metadata, not run anything.

Claude Code can also write the verdict to a file directly. The watcher checks for that first, then falls back to stdout parsing.

Ollama (local, free):

"reviewer_command": "ollama run llama3.1"

Works out of the box. The watcher captures Ollama's text output and parses the verdict from it. Use a model with good instruction-following (7B+ recommended).

Any CLI tool: As long as it reads from stdin and prints text to stdout, it works. The watcher sends a prompt describing the file and parses the first line containing SAFE or DANGEROUS from the output.

Security Model

What's protected

  • Files never touch your real filesystem until approved
  • Files on the quarantine drive cannot be executed (after running lockdown-drive.ps1)
  • If deletion fails, the drive is ejected; if ejection fails, the drive is formatted; if that fails, manual unplug
  • Every file gets a SHA256 hash and full verdict log
  • The watcher (not the LLM) enforces the verdict - the LLM outputs "SAFE" or "DANGEROUS", but it's the PowerShell script that actually moves or deletes

The attack window is tiny

Here's the real-world timeline from a live test, measured in milliseconds:

Detected:  20:04:30.867 - file lands in staging
Isolated:  20:04:32.071 - file is now on the locked-down SD card

That's a 1.2 second window where the file exists in the staging folder. After that, it's on the quarantine drive where NTFS ACLs deny execute permission for all users - the file physically cannot run itself.

Here's what each phase looks like:

Phase Duration Can the file execute?
Staging folder ~1-2 seconds Theoretically, but staging is on an isolated drive (Docker workspace)
Quarantine drive Until verdict No - execute denied via NTFS ACL (lockdown-drive.ps1)
After DANGEROUS verdict Immediate Deleted, or drive ejected, or drive formatted

Even in that 1-2 second staging window, the file would need to somehow trigger itself without user interaction, from inside a folder that isn't in any system PATH, on a drive that's typically restricted to a Docker container. And if your staging folder is on the same drive as your OS, you can use a RAM disk or separate partition to further reduce risk.

What the LLM catches vs. what it doesn't

The LLM reviewer is surprisingly effective at catching the most common ways people actually get infected:

It WILL catch:

  • Typosquatted names (Discrod, Steamm, Mcrosoft, Whatsap)
  • Cracks, keygens, activators, and patches ("Office-Activator.exe", "Steam-Crack.exe")
  • Random gibberish filenames (a8f3x.exe, tmp29dk.exe)
  • Suspiciously small executables (under 100KB - likely a dropper/stub)
  • Double extensions hiding executables (report.pdf.exe, photo.jpg.scr)
  • Unusually large files for their type
  • Unknown or unrecognizable sources

These are the attacks that actually trick people every day - fake downloads, social engineering, phishing links that drop typosquatted installers. The LLM is excellent at spotting these because they rely on fooling humans, not software.

It will NOT catch:

  • A file that looks completely legitimate in every way (correct name, correct size, correct type) but has malicious code hidden inside the binary. The LLM reviews metadata, not file contents - it's not antivirus.

That's why SuperSafe is one layer in a stack, not a replacement for antivirus. Windows Defender, SmartScreen, and your antivirus still scan anything that reaches the approved folder. SuperSafe catches the obvious fakes before they even get that far.

Other limitations

  • The watcher script needs permissions to move/delete files on the quarantine drive

Defense in depth

This system is designed as one layer in a multi-layer security approach:

  1. Agent sandboxing - Docker containers, restricted file access
  2. Quarantine gate - This project (file-level review before approval)
  3. OS-level protection - Windows Defender, SmartScreen, UAC
  4. Network-level - Proxy filtering, firewall rules

Verdict Logs

Every reviewed file produces a verdict log in the verdict_log_folder:

================================================================================
QUARANTINE VERDICT LOG
================================================================================
FILE:     SpotifySetup.exe
SHA256:   a1b2c3d4e5f6...
SIZE:     1.24 MB
TYPE:     .exe
TIME:     2025-01-15 14:32:07.421
VERDICT:  SAFE: SpotifySetup.exe - Spotify, legitimate installer
================================================================================

Logs are named with timestamp and filename: 2025-01-15_14-32-12-104_SpotifySetup.exe.txt

Scripts

Script Purpose Requires Admin?
security-gate-watcher.ps1 Main watcher - monitors staging, quarantines, reviews, enforces No
emergency-eject.ps1 Ejects or formats the quarantine drive in an emergency Partial (format needs Admin)
lockdown-drive.ps1 Denies execute permissions on the quarantine drive Yes
test-setup.ps1 Drops test files to verify your setup works end-to-end No

Troubleshooting

"Running scripts is disabled on this system" Run Set-ExecutionPolicy RemoteSigned -Scope CurrentUser in PowerShell as Administrator. See Quick Start step 1.

"config.json not found" Copy config.example.json to config.json in the repo root and fill in your paths.

"Quarantine drive not mounted" Plug in your removable drive and make sure the quarantine_drive path exists (e.g., create F:\incoming).

"This script must be run as Administrator" Right-click PowerShell and select "Run as Administrator" before running lockdown-drive.ps1.

"Drive is formatted as FAT32/exFAT" The lockdown script requires NTFS to set execute-deny permissions. Convert with convert F: /fs:ntfs (no data loss) or reformat as NTFS in File Explorer (erases data).

Watcher doesn't see files Make sure your agent is saving to the exact staging_folder path in config.json. The watcher ignores .tmp, .crdownload, .partial, and desktop.ini files.

"Reviewer command not found" The watcher checks that your LLM CLI tool exists before starting. Install it (npm install -g @anthropic-ai/claude-code for Claude Code, or download Ollama from ollama.com) and make sure it's in your system PATH.

LLM doesn't produce a verdict Check that reviewer_command is correct and the LLM CLI tool is installed and in your PATH. The watcher looks for a line starting with SAFE or DANGEROUS in the LLM's output. If using Claude Code, it can also write the verdict to a file on the quarantine drive.

Drive won't eject The script automatically tries three methods: Shell eject, mountvol eject, then full format. If all three fail, close all programs using the drive and physically unplug it.

Contributing

This is our first source-available project. We're learning as we go.

If you're running AI agents and dealing with similar trust problems, we want to hear from you. Open an issue, submit a PR, or just tell us what we got wrong. Constructive criticism makes this better for everyone.

Some areas we know could use improvement:

  • Linux/macOS support (currently Windows-only)
  • Binary content analysis (currently metadata-only review)
  • VirusTotal API integration for hash checking
  • Support for reviewing multiple files in parallel
  • A web dashboard for verdict history

Credits

Built by Nacho / A Generation Forwordz Foundation (501c3).

Built using Claude Code (Anthropic's CLI tool) under Nacho's design and direction. Every script, config, and doc was human-reviewed before it went in.

Born from running Nova - an autonomous AI agent powered by a 20B parameter open source model on local hardware - and needing a way to trust-but-verify every file she downloads. The SD card air gap was the key insight: if software fails, hardware wins.

License

PolyForm Noncommercial 1.0.0

This project is source-available for noncommercial use. The full source code is here for you to use, learn from, modify, and share - but you cannot sell it or use it commercially. This is not an OSI-approved open source license, and we're upfront about that. We chose PolyForm Noncommercial because it was written specifically for software (unlike Creative Commons, which was designed for creative content). It clearly covers source code, dependencies, and distribution without the ambiguity that CC licenses have when applied to code.

Use it, improve it, share it, learn from it. Keep it free, give credit. Do not sell it.

See LICENSE for details.

About

AI agent file quarantine system - isolate downloaded files on removable drives, review with LLM, approve or destroy. Hardware air gap when software fails.

Topics

Resources

License

Security policy

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors