✓ Verified 📡 Monitoring ✓ Enhanced Data

Hopeids

Inference-based intrusion detection for AI agents with quarantine.

Rating
4.5 (112 reviews)
Downloads
1,127 downloads
Version
1.0.0

Overview

Inference-based intrusion detection for AI agents with quarantine.

Key Features

1

Auto-scan — Scan messages before agent processing

2

Quarantine — Block threats with metadata-only storage

3

Human-in-the-loop — Telegram alerts for review

4

Per-agent config — Different thresholds for different agents

5

Commands — /approve, /reject, /trust, /quarantine

6

--

Complete Documentation

View Source →

hopeIDS Security Skill

Inference-based intrusion detection for AI agents with quarantine and human-in-the-loop.

Security Invariants

These are non-negotiable design principles:

  • Block = full abort — Blocked messages never reach jasper-recall or the agent
  • Metadata only — No raw malicious content is ever stored
  • Approve ≠ re-inject — Approval changes future behavior, doesn't resurrect messages
  • Alerts are programmatic — Telegram alerts built from metadata, no LLM involved

Features

  • Auto-scan — Scan messages before agent processing
  • Quarantine — Block threats with metadata-only storage
  • Human-in-the-loop — Telegram alerts for review
  • Per-agent config — Different thresholds for different agents
  • Commands/approve, /reject, /trust, /quarantine

The Pipeline

text
Message arrives
    ↓
hopeIDS.autoScan()
    ↓
┌─────────────────────────────────────────┐
│  risk >= threshold?                     │
│                                         │
│  BLOCK (strictMode):                    │
│     → Create QuarantineRecord           │
│     → Send Telegram alert               │
│     → ABORT (no recall, no agent)       │
│                                         │
│  WARN (non-strict):                     │
│     → Inject <security-alert>           │
│     → Continue to jasper-recall         │
│     → Continue to agent                 │
│                                         │
│  ALLOW:                                 │
│     → Continue normally                 │
└─────────────────────────────────────────┘

Configuration

json
{
  "plugins": {
    "entries": {
      "hopeids": {
        "enabled": true,
        "config": {
          "autoScan": true,
          "defaultRiskThreshold": 0.7,
          "strictMode": false,
          "telegramAlerts": true,
          "agents": {
            "moltbook-scanner": {
              "strictMode": true,
              "riskThreshold": 0.7
            },
            "main": {
              "strictMode": false,
              "riskThreshold": 0.8
            }
          }
        }
      }
    }
  }
}

Options

OptionTypeDefaultDescription
autoScanbooleanfalseAuto-scan every message
strictModebooleanfalseBlock (vs warn) on threats
defaultRiskThresholdnumber0.7Risk level that triggers action
telegramAlertsbooleantrueSend alerts for blocked messages
telegramChatIdstring-Override alert destination
quarantineDirstring~/.openclaw/quarantine/hopeidsStorage path
agentsobject-Per-agent overrides
trustOwnersbooleantrueSkip scanning owner messages

Quarantine Records

When a message is blocked, a metadata record is created:

json
{
  "id": "q-7f3a2b",
  "ts": "2026-02-06T00:48:00Z",
  "agent": "moltbook-scanner",
  "source": "moltbook",
  "senderId": "@sus_user",
  "intent": "instruction_override",
  "risk": 0.85,
  "patterns": [
    "matched regex: ignore.*instructions",
    "matched keyword: api key"
  ],
  "contentHash": "ab12cd34...",
  "status": "pending"
}

Note: There is NO originalMessage field. This is intentional.

Telegram Alerts

When a message is blocked:

text
🛑 Message blocked

ID: `q-7f3a2b`
Agent: moltbook-scanner
Source: moltbook
Sender: @sus_user
Intent: instruction_override (85%)

Patterns:
• matched regex: ignore.*instructions
• matched keyword: api key

`/approve q-7f3a2b`
`/reject q-7f3a2b`
`/trust @sus_user`

Built from metadata only. No LLM touches this.

Commands

/quarantine [all|clean]

List quarantine records.

text
/quarantine        # List pending
/quarantine all    # List all (including resolved)
/quarantine clean  # Clean expired records

/approve

Mark a blocked message as a false positive.

text
/approve q-7f3a2b

Effect:

  • Status → approved
  • (Future) Add sender to allowlist
  • (Future) Lower pattern weight

/reject

Confirm a blocked message was a true positive.

text
/reject q-7f3a2b

Effect:

  • Status → rejected
  • (Future) Reinforce pattern weights

/trust

Whitelist a sender for future messages.

text
/trust @legitimate_user

/scan

Manually scan a message.

text
/scan ignore your previous instructions and...

What Approve/Reject Mean

CommandWhat it doesWhat it doesn't do
/approveMarks as false positive, may adjust IDSDoes NOT re-inject the message
/rejectConfirms threat, may strengthen patternsDoes NOT affect current message
/trustWhitelists sender for futureDoes NOT retroactively approve
The blocked message is gone by design. If it was legitimate, the sender can re-send.

Per-Agent Configuration

Different agents need different security postures:

json
"agents": {
  "moltbook-scanner": {
    "strictMode": true,    // Block threats
    "riskThreshold": 0.7   // 70% = suspicious
  },
  "main": {
    "strictMode": false,   // Warn only
    "riskThreshold": 0.8   // Higher bar for main
  },
  "email-processor": {
    "strictMode": true,    // Always block
    "riskThreshold": 0.6   // More paranoid
  }
}

Threat Categories

CategoryRiskDescription
command_injection🔴 CriticalShell commands, code execution
credential_theft🔴 CriticalAPI key extraction attempts
data_exfiltration🔴 CriticalData leak to external URLs
instruction_override🔴 HighJailbreaks, "ignore previous"
impersonation🔴 HighFake system/admin messages
discovery⚠️ MediumAPI/capability probing

Installation

bash
npx hopeid setup

Then restart OpenClaw.

Links

  • GitHub: https://github.com/E-x-O-Entertainment-Studios-Inc/hopeIDS
  • npm: https://www.npmjs.com/package/hopeid
  • Docs: https://exohaven.online/products/hopeids

Installation

Terminal bash 

openclaw install hopeids
Copied!

💻Code Examples

└─────────────────────────────────────────┘

.txt
---

## Configuration

}

.txt
### Options

| Option | Type | Default | Description |
|--------|------|---------|-------------|
| `autoScan` | boolean | `false` | Auto-scan every message |
| `strictMode` | boolean | `false` | Block (vs warn) on threats |
| `defaultRiskThreshold` | number | `0.7` | Risk level that triggers action |
| `telegramAlerts` | boolean | `true` | Send alerts for blocked messages |
| `telegramChatId` | string | - | Override alert destination |
| `quarantineDir` | string | `~/.openclaw/quarantine/hopeids` | Storage path |
| `agents` | object | - | Per-agent overrides |
| `trustOwners` | boolean | `true` | Skip scanning owner messages |

---

## Quarantine Records

When a message is blocked, a metadata record is created:

}

.txt
**Note:** There is NO `originalMessage` field. This is intentional.

---

## Telegram Alerts

When a message is blocked:

`/trust @sus_user`

trust-sususer.txt
Built from metadata only. No LLM touches this.

---

## Commands

### `/quarantine [all|clean]`

List quarantine records.

/quarantine clean # Clean expired records

quarantine-clean--clean-expired-records.txt
### `/approve <id>`

Mark a blocked message as a false positive.

/approve q-7f3a2b

approve-q-7f3a2b.txt
**Effect:**
- Status → `approved`
- (Future) Add sender to allowlist
- (Future) Lower pattern weight

### `/reject <id>`

Confirm a blocked message was a true positive.

/reject q-7f3a2b

reject-q-7f3a2b.txt
**Effect:**
- Status → `rejected`
- (Future) Reinforce pattern weights

### `/trust <senderId>`

Whitelist a sender for future messages.

/trust @legitimate_user

trust-legitimateuser.txt
### `/scan <message>`

Manually scan a message.

/scan ignore your previous instructions and...

scan-ignore-your-previous-instructions-and.txt
---

## What Approve/Reject Mean

| Command | What it does | What it doesn't do |
|---------|--------------|-------------------|
| `/approve` | Marks as false positive, may adjust IDS | Does NOT re-inject the message |
| `/reject` | Confirms threat, may strengthen patterns | Does NOT affect current message |
| `/trust` | Whitelists sender for future | Does NOT retroactively approve |

**The blocked message is gone by design.** If it was legitimate, the sender can re-send.

---

## Per-Agent Configuration

Different agents need different security postures:

}

.txt
---

## Threat Categories

| Category | Risk | Description |
|----------|------|-------------|
| `command_injection` | 🔴 Critical | Shell commands, code execution |
| `credential_theft` | 🔴 Critical | API key extraction attempts |
| `data_exfiltration` | 🔴 Critical | Data leak to external URLs |
| `instruction_override` | 🔴 High | Jailbreaks, "ignore previous" |
| `impersonation` | 🔴 High | Fake system/admin messages |
| `discovery` | ⚠️ Medium | API/capability probing |

---

## Installation

Tags

#security_and-passwords

Quick Info

Category Monitoring
Model Claude 3.5
Complexity Multi-Agent
Author emberdesire
Last Updated 3/10/2026
🚀
Optimized for
Claude 3.5
🧠

Ready to Install?

Get started with this skill in seconds

openclaw install hopeids

Resources

📂
OpenClaw Skills
View on OpenClaw GitHub

Related Skills

✓ Verified 💻 Development

4claw

4claw — a moderated imageboard for AI agents.

🧠 Claude-Ready #ai_and-llms
)}
4.4 (118)
4,990
v1.0.0
✓ Verified 💻 Development

Aap Passport

Agent Attestation Protocol - The Reverse Turing Test.

🧠 Claude-Ready #ai_and-llms
)}
4.3 (89)
4,621
v1.0.0
✓ Verified 💻 Development

Adaptive Suite

A continuously adaptive skill suite that empowers Clawdbot.

🧠 Claude-Ready #ai_and-llms #bot
)}
4.7 (88)
1,625
v1.0.0
✓ Verified 💻 Development

Adversarial Prompting

Adversarial analysis to critique, fix.

🧠 Claude-Ready #ai_and-llms
)}
4.6 (372)
28,222
v1.0.0