AI agents read a lot of text they didn't write — tool results, network messages, skill files, memory notes. Any of it can carry an attack. AEGIS sits in front of every input surface and stops it. NVIDIA's SkillSpector scans skill files before install. AEGIS covers everything that arrives after.
SkillSpector scans skill repositories for malicious patterns, excessive permissions, and supply-chain risks before installation. It correctly flags ~26% of skills with real security issues. That's a meaningful gate.
Once a skill is installed, it calls external APIs. Those responses arrive through a legitimate, already-verified channel. A benign skill can deliver a malicious payload at runtime. SkillSpector never sees it — no static analyzer can.
Scans skill files (Git repos, zip archives, single files) using AST analysis, YARA signatures, manifest checks, and optional LLM semantic analysis. Generates SARIF 2.1.0 reports for CI gating.
Runs at install time. Once the skill is trusted and deployed, SkillSpector's job is done.
Intercepts every string that enters agent context — from any source — and passes it through a two-stage cascade: Aho-Corasick pattern matching in microseconds, then a local Qwen3-1.7B judge to kill false positives.
Always running. No install-time gate. Covers the surfaces that static analysis structurally cannot reach.
Prompt injection doesn't arrive in a skill's README.md.
It arrives in data — tool outputs, network messages, files the agent reads mid-task.
These surfaces have zero overlap with what any pre-install scanner sees.
95% of content is benign. Sending every read to a local LLM would cost 260ms per file. AEGIS runs an Aho-Corasick automaton first — ~3 µs, catches the obvious cases — then escalates to the judge only on hits. The judge's job is to kill false positives, not to do primary detection.
A compiled automaton over ~300 IoC patterns covering prompt injection triggers, infra-impersonation strings, jailbreak prefixes, and homoglyph encodings.
Runs on every input, synchronously, before the agent reads it. If nothing matches, the string is allowed immediately.
When L1 flags a match, AEGIS sends an 800-byte excerpt around the hit location to a local Qwen3-1.7B instance running via llama.cpp. The judge scores intent (0.0 = benign, 1.0 = attack).
Scores below 0.5 veto the quarantine — allowing code that contains subprocess calls, bash patterns, or override language in a legitimate context.
Every verdict — allow or quarantine — is written to an append-only JSON log with HMAC chaining. Each entry includes the previous entry's hash. Log tampering is detectable.
880 KB static Rust binary. Embed aegis scan-pipe anywhere in your toolchain.
Hook into Claude Code via PreToolUse. Call from CI.
No network access required at runtime.
These tools are complementary. SkillSpector audits skill code before installation. AEGIS intercepts content at runtime. Run both and you cover the full attack surface — static and dynamic.
| Capability | SkillSpector (NVIDIA) | AEGIS |
|---|---|---|
| When it runs | Pre-install (one-shot scan) | Runtime (every input, always on) |
| Skill source code analysis | ✓ AST + YARA + LLM semantic | → pattern match at load time |
| Runtime API responses from skills | ✗ not in scope | ✓ every response filtered |
| Overlay network inbox messages | ✗ not in scope | ✓ intercepted before agent reads |
| MCP tool call results | ✗ not in scope | ✓ via PreToolUse hook |
| Memory / CLAUDE.md injection | ✗ not in scope | ✓ file read surface covered |
| Homoglyph bypass detection | → YARA signatures (partial) | ✓ full Unicode normalization table |
| False positive reduction | ✓ LLM semantic scoring | ✓ Qwen3-1.7B local judge (L2) |
| CI / merge gating | ✓ SARIF 2.1.0, GitHub Code Scanning | → aegis scan-pipe exit codes |
| Supply chain verification | ✓ dependency analysis | ✗ out of scope |
| Hardware requirement | ✓ none (pure software) | ✓ none (runs on any Mac/Linux) |
| Network at runtime | LLM call optional (cloud or local) | ✓ fully offline |
| Binary size | Python package (~40 MB deps) | 880 KB static binary |
| Audit log | ✗ report only | ✓ HMAC-chained append-only log |
Single static binary. Install via Homebrew or via the Pilot Network — which pulls the binary, judge model, and daemon config in one command.
# Wire into Claude Code by adding ~/.claude/hooks/pre-tool-use.sh — see README for details.
The Pilot Network install pulls the AEGIS binary, model, and daemon in one step via the local app store. Everything runs on your machine — the overlay network just handles discovery and dependency wiring.
# aegis.scan is callable by any agent on the overlay — vetting untrusted content before processing it.