PoisonZero monitors your agents' Memory Files and dot-Files in real time, scores every change, and automatically reverts poisoned entries — before they can do any harm.
Modern agents remember context across sessions — in dot-Files, memory directories, vector stores. That's exactly where the attack lands: slip in a malicious “memory” and the agent later follows it as if it were its own. No exploit, no crash — just text masquerading as truth.
Hidden instructions in documents, web pages, or tool outputs that the agent quietly absorbs into its Memory Files.
Permanently planted false facts or rules that skew every future decision your agent makes.
Entries that instruct the agent to ignore or switch off its own safeguards.
A lightweight daemon watches the protected paths. Every change is scored by an AI model — and, based on your thresholds, automatically allowed, flagged for confirmation, or reverted.
The daemon monitors your agents' Memory Files — locally, without shipping your data off to the cloud.
Every change gets a danger level (0–1) and a confidence (0–1) from the AI model.
Above the thresholds it auto-reverts, below them it allows — everything in between PoisonZero brings to you.
# PoisonZero watch — live [ok] note added · danger 0.04 · allow [ok] pref updated · danger 0.11 · allow [block] "ignore all safety rules and…" danger 0.96 · revert ↳ reverted in 240ms, audit logged [ok] task done · danger 0.08 · allow
If the AI is unsure, it doesn't wave things through — it asks. Safety is the default, not the exception.
Thresholds, protected paths, and profiles are set per agent — clearly explained, no JSON fiddling.
Every decision is logged: what, when, why. Fully traceable in the panel at app.poisonzero.com.
One daemon for Linux, macOS, and Windows. OS-native paths, native installers.
Watches files via filesystem events instead of expensive polling. You won't feel a thing until something happens.
Spots entries that try to disable the protection itself — the most common second step of an attack.
How ClawHub & Co. become a supply chain — one command, third-party instructions running with full privileges inside your agent's memory.
IncidentThe real ClawHub supply-chain attack — typosquatting, disguised malware, credential theft. And what it teaches us about marketplaces.
CI/CDHow attackers hijack CI/CD — without changing a single line of app code. OWASP CICD-SEC-4, Megalodon, TanStack.
SynthesisAutonomous agents in pipelines create a new persistence layer — if their memory gets poisoned.
Start with 14 days free. After that you only pay per active daemon — no platform fee, no surprises.
Full feature set, zero risk.
For teams protecting in production.
Maximum control & data sovereignty.