PoisonZero monitors your agents' Memory Files and dot-Files in real time, scores every change, and automatically reverts poisoned entries.
AI coding agents read your repos, run commands, and touch your secrets — and they act on whatever they remember. Slip one fake instruction into that memory and the agent carries out an attacker’s orders, with full access. No exploit. No alert. Every dashboard stays green.
fake “skills” were planted in one real supply-chain attack before anyone noticed.
ClawHavoc · real incidentPoisonZero is a lightweight security agent that runs on your machine, watches your AI agents’ memory, and reverts anything an attacker plants in it.
A poisoned file can say “already reviewed, don’t report this.” It can’t switch the detector off. That text reads as an attack, so it pushes the danger score up — which is exactly how PoisonZero stops attacks aimed at the scanner itself, like the Hades worm.
How Melira is builtNot just what your agent remembers in plain text — also settings.json, hooks, and auto-approve flips (CVE-2025-53773). Config-file persistence is the actual mechanism real worms use.
A behavioral sequence monitor watches across files and sessions: read-a-secret-now / exfiltrate-later, sub-threshold “salami” edits, tool-allowlist creep — using only signals like paths and timestamps, never your content.
Defense in depthDetection runs on-device — there is no analysis cloud to leak to. A built-in egress ledger records every outbound request, and poisonzero egress / poisonzero redact let you verify exactly what would leave, before trusting our word.
OpenTelemetry and SIEM export stream daemon → your collector, never touching PoisonZero — even in cloud mode. You choose the detail level: hashes, redacted, or full.
Observability & exportMelira is adversarially fine-tuned and purpose-built for memory poisoning — deterministic at temperature 0, SHA-256-pinned before every start, with a named attack taxonomy.
MeliraModel → deterministic signature floor → behavioral sequence monitor → kernel-hardened sandbox. Every layer can only escalate a verdict, never quietly clear it.
The pipelineThe same feature set either way, chosen per machine within one fleet. Private is fully local — roughly one network request every 30 days, with a zero-egress option.
Deployment modesOpenTelemetry to any collector, SIEM export as JSON, CEF or syslog, and a plain-JSON Admin REST API built for scripts and AI agents.
Admin APIA native Claude Code status line and /poisonzero command, plus setup for Codex, Gemini CLI and Cursor — fully local, no memory writes.
Bring your own LLM as an always-on second opinion that can never downgrade a block; roll out via SCCM, Intune or Ansible; device-bound licensing with no vendor kill-switch.
EnterprisePoisonZero runs on the same machine as your agent. Every change to its memory gets checked and rated for danger. Safe edits pass. Dangerous ones are undone automatically — in a fraction of a second, before the agent acts on them. Every decision is logged.
# PoisonZero watch — live [ok] note added · danger 0.04 · allow [ok] pref updated · danger 0.11 · allow [block] "ignore all safety rules and…" danger 0.96 · revert ↳ reverted automatically, audit logged [ok] task done · danger 0.08 · allow
a poisoned change is caught the moment it’s written — and reverted automatically.
runs on your own machine. In private mode, your code and secrets never leave it.
is scored and gated — fail-closed when unsure, and logged for a full audit trail.
How ClawHub & Co. become a supply chain — one command, third-party instructions running with full privileges inside your agent's memory.
IncidentThe real ClawHub supply-chain attack — typosquatting, disguised malware, credential theft. And what it teaches us about marketplaces.
CI/CDHow attackers hijack CI/CD — without changing a single line of app code. OWASP CICD-SEC-4, Megalodon, TanStack.
SynthesisAutonomous agents in pipelines create a new persistence layer — if their memory gets poisoned.
Protection that grows with your agents — no platform fee, no hidden costs. Pricing details are coming soon.
For teams protecting in production.
Scale, governance and premium capabilities.
Set up PoisonZero in 60 seconds — Linux, macOS, Windows. Free to start.