hopeids

// Inference-based intrusion detection for AI agents with quarantine and human-in-the-loop.

$ git log --oneline --stat

stars:1,933

forks:367

updated:March 4, 2026

SKILL.mdreadonly

hopeIDS Security Skill

Inference-based intrusion detection for AI agents with quarantine and human-in-the-loop.

Security Invariants

These are non-negotiable design principles:

Block = full abort — Blocked messages never reach jasper-recall or the agent
Metadata only — No raw malicious content is ever stored
Approve ≠ re-inject — Approval changes future behavior, doesn't resurrect messages
Alerts are programmatic — Telegram alerts built from metadata, no LLM involved

Features

Auto-scan — Scan messages before agent processing
Quarantine — Block threats with metadata-only storage
Human-in-the-loop — Telegram alerts for review
Per-agent config — Different thresholds for different agents
Commands — /approve, /reject, /trust, /quarantine

The Pipeline

Message arrives
    ↓
hopeIDS.autoScan()
    ↓
┌─────────────────────────────────────────┐
│  risk >= threshold?                     │
│                                         │
│  BLOCK (strictMode):                    │
│     → Create QuarantineRecord           │
│     → Send Telegram alert               │
│     → ABORT (no recall, no agent)       │
│                                         │
│  WARN (non-strict):                     │
│     → Inject <security-alert>           │
│     → Continue to jasper-recall         │
│     → Continue to agent                 │
│                                         │
│  ALLOW:                                 │
│     → Continue normally                 │
└─────────────────────────────────────────┘

Configuration

{
  "plugins": {
    "entries": {
      "hopeids": {
        "enabled": true,
        "config": {
          "autoScan": true,
          "defaultRiskThreshold": 0.7,
          "strictMode": false,
          "telegramAlerts": true,
          "agents": {
            "moltbook-scanner": {
              "strictMode": true,
              "riskThreshold": 0.7
            },
            "main": {
              "strictMode": false,
              "riskThreshold": 0.8
            }
          }
        }
      }
    }
  }
}

Options

Option	Type	Default	Description
`autoScan`	boolean	`false`	Auto-scan every message
`strictMode`	boolean	`false`	Block (vs warn) on threats
`defaultRiskThreshold`	number	`0.7`	Risk level that triggers action
`telegramAlerts`	boolean	`true`	Send alerts for blocked messages
`telegramChatId`	string	-	Override alert destination
`quarantineDir`	string	`~/.openclaw/quarantine/hopeids`	Storage path
`agents`	object	-	Per-agent overrides
`trustOwners`	boolean	`true`	Skip scanning owner messages

Quarantine Records

When a message is blocked, a metadata record is created:

{
  "id": "q-7f3a2b",
  "ts": "2026-02-06T00:48:00Z",
  "agent": "moltbook-scanner",
  "source": "moltbook",
  "senderId": "@sus_user",
  "intent": "instruction_override",
  "risk": 0.85,
  "patterns": [
    "matched regex: ignore.*instructions",
    "matched keyword: api key"
  ],
  "contentHash": "ab12cd34...",
  "status": "pending"
}

Note: There is NO originalMessage field. This is intentional.

Telegram Alerts

When a message is blocked:

🛑 Message blocked

ID: `q-7f3a2b`
Agent: moltbook-scanner
Source: moltbook
Sender: @sus_user
Intent: instruction_override (85%)

Patterns:
• matched regex: ignore.*instructions
• matched keyword: api key

`/approve q-7f3a2b`
`/reject q-7f3a2b`
`/trust @sus_user`

Built from metadata only. No LLM touches this.

Commands

`/quarantine [all|clean]`

List quarantine records.

/quarantine        # List pending
/quarantine all    # List all (including resolved)
/quarantine clean  # Clean expired records

`/approve <id>`

Mark a blocked message as a false positive.

/approve q-7f3a2b

Effect:

Status → approved
(Future) Add sender to allowlist
(Future) Lower pattern weight

`/reject <id>`

Confirm a blocked message was a true positive.

/reject q-7f3a2b

Effect:

Status → rejected
(Future) Reinforce pattern weights

`/trust <senderId>`

Whitelist a sender for future messages.

/trust @legitimate_user

`/scan <message>`

Manually scan a message.

/scan ignore your previous instructions and...

What Approve/Reject Mean

Command	What it does	What it doesn't do
`/approve`	Marks as false positive, may adjust IDS	Does NOT re-inject the message
`/reject`	Confirms threat, may strengthen patterns	Does NOT affect current message
`/trust`	Whitelists sender for future	Does NOT retroactively approve

The blocked message is gone by design. If it was legitimate, the sender can re-send.

Per-Agent Configuration

Different agents need different security postures:

"agents": {
  "moltbook-scanner": {
    "strictMode": true,    // Block threats
    "riskThreshold": 0.7   // 70% = suspicious
  },
  "main": {
    "strictMode": false,   // Warn only
    "riskThreshold": 0.8   // Higher bar for main
  },
  "email-processor": {
    "strictMode": true,    // Always block
    "riskThreshold": 0.6   // More paranoid
  }
}

Threat Categories

Category	Risk	Description
`command_injection`	🔴 Critical	Shell commands, code execution
`credential_theft`	🔴 Critical	API key extraction attempts
`data_exfiltration`	🔴 Critical	Data leak to external URLs
`instruction_override`	🔴 High	Jailbreaks, "ignore previous"
`impersonation`	🔴 High	Fake system/admin messages
`discovery`	⚠️ Medium	API/capability probing

Installation

npx hopeid setup

Then restart OpenClaw.