Snapper hooks into your AI agent's tool pipeline and evaluates every action before it executes. Approve sensitive operations from Telegram or Slack. Keep PII in an encrypted vault the agent never touches. Source available, free for noncommercial use.
Today you either trust the agent completely and accept the risk, or restrict it so heavily it can barely function.
Snapper hooks into your agent's tool pipeline and evaluates every action against configurable rules — before it executes. Sensitive operations route to Telegram or Slack for human approval. Your PII lives in an encrypted vault the agent never touches. The result: full agent power with full human control.
Snapper enables full agent capability instead of restricting it.
Your credit cards, addresses, and SSNs live in Fernet-encrypted storage. The agent only sees tokens like {{SNAPPER_VAULT:a7f3b2c1e4d5f6a8...}}. When it fills a payment form, you get a Telegram or Slack notification showing masked values, the destination, and the dollar amount. Approve from your phone or desktop.
Approve actions, manage rules, test commands, control your PII vault, and hit the emergency kill switch — all from your phone or desktop. Choose Telegram (inline buttons) or Slack (slash commands + Block Kit). When a sensitive action fires, you get a rich notification with [Approve] / [Deny] buttons. Five seconds, done.
Telegram: /block · /vault · /test · /rules · /pii | Slack: /snapper-block · /snapper-vault · /snapper-test15 rule types with a fail-closed engine. Blocks reverse shells, RCE, destructive commands, credential access, and 341+ malicious skills from the ClawHavoc campaign. Scans every tool call for raw PII across 30+ patterns. No rules = deny. Errors = deny.
CVE-2026-25253 · CVE-2026-25157 · CVE-2026-24891Agents earn autonomy through consistent good behavior. Violations reduce trust, which tightens rate limits. Score ranges from 0.0 to 1.0 and directly affects what the agent can do.
Even if the agent finds PII by reading a file or scraping a website, Snapper catches it. 30+ regex patterns scan every tool call for credit cards, SSNs, emails, API keys, and more — across US, UK, Canada, and Australia formats.
Immutable, BRIN-indexed audit trail. Every security event logged with request correlation IDs, agent context, and full JSON details. Activity timeline, filterable log viewer, and exportable stats.
Snapper hooks into the PreToolUse pipeline. Every tool call is evaluated before execution.
Different tools solve different problems at different layers. Snapper is the only open-source tool at the agent-internet boundary that enables full capability.
| Snapper | LlamaFirewall | Cloudflare | Radware | GitHub | |
|---|---|---|---|---|---|
| Snapper-Unique | |||||
| Encrypted PII Vault | ✓ | ✗ | ✗ | ✗ | ✗ |
| HITM via Telegram/Slack | ✓ | ✗ | ✗ | ✗ | ✗ |
| Raw PII Interception (DLP) | ✓ | ✗ | ~ | ✓ | ✗ |
| Domain-Locked Vault Tokens | ✓ | ✗ | ✗ | ✗ | ✗ |
| Malicious Skill Blocking | ✓ | ✗ | ✗ | ✗ | ✗ |
| Adaptive Trust Scoring | ✓ | ✗ | ✗ | ✗ | ✗ |
| Emergency Kill Switch | ✓ | ✗ | ✗ | ✗ | ✗ |
| Architecture | |||||
| Layer | Agent boundary | Inside agent | Edge network | Platform | Domain list |
| Philosophy | Enable | Restrict | Restrict | Restrict | Restrict |
| Open Source | ✓ | ✓ | ✗ | ✗ | ✗ |
| Self-Hosted | ✓ | ✓ | ✗ | ~ | ✗ |
| Fail-Closed Design | ✓ | ✓ | ✓ | ✓ | ✓ |
| Multi-Agent (5+) | ✓ | ~ | ✗ | ~ | ✗ |
Snapper is a security tool — so we hold ourselves to the same standard we enforce on agents. Here's how we protect the project and our users.
Report security issues privately via GitHub Security Advisories. We acknowledge reports within 72 hours and follow a 90-day coordinated disclosure timeline.
Snapper enhances your security posture but does not guarantee complete protection. No security tool can. You are responsible for your own configuration, risk assessment, and compliance. See TERMS.md.
Snapper is provided "as is" without warranty of any kind under the PolyForm Noncommercial License. Free for personal use, research, education, and nonprofits. Commercial use requires a separate license. Full terms in the repository.
All contributions require a Developer Certificate of Origin (DCO) sign-off, certifying that contributors have the right to submit their code and agree to the project's license terms.
Docker, one command, and your agent is protected. Free for noncommercial use.