Agents now read the open web and run shell commands on their own. A poisoned page can hijack them into leaking secrets or running curl … | sh. Nexus stops that — on your machine.
Both run on-device. Clean content and safe commands pass through untouched.
Scans every WebFetch/WebSearch result before the model reads it. Injections are rewritten to a redacted, defanged version — the payload never reaches the agent. 16/16 on a cross-lingual benchmark.
Screens every Bash command before it runs. An injected agent about to curl|sh, open a reverse shell, rm -rf /, or exfiltrate ~/.ssh/id_rsa is denied. High-confidence patterns only.
nexus guard demo — real attack scenarios, nothing executed. Red-teamed, not self-tested: ~80% of novel attacks · ~66% of adaptive attacks · 0 false positives across 4 fresh adversarial rounds (npx tsx scripts/adaptive-benchmark.ts). A tripwire + spotlighting backstop, not a sandbox — pair with least privilege.
Working tree and git history — catches secrets committed then deleted. Every finding redacted.
BM25 + synonym/transliteration expansion over your sessions, cross-lingual (KO↔EN). Learns embeddings from your corpus.
19 detectors: bugs, hardcoded secrets, SQLi, eval, XSS, dead code, AI-slop.
Works in any MCP agent — Claude Code, Cursor, Cline, Continue. Also a CLI and a TS library.
Most READMEs claim “100%.” Nexus ships the eval and the number — including the experiments it rejected.
A learned-embedding expansion that moved recall +1.2% → kept off by default. A pretrained multilingual encoder that lost to BM25 on this corpus → kept optional, not the backbone. Every benchmark is one reproducible command. A tool you can trust beats a tool that looks good.