RUNTIME SECURITY FOR AI AGENTS

An agent should never hold
a secret longer than it needs to.

Checkpoint → Scan → Vault → Replace → Continue. Enforced at every critical boundary.

npm install @roadsidelab/keyspot-sdk

or load the agent skill

https://raw.githubusercontent.com/roadsidedev/keyspot-sdk/main/SKILL.md

Read the docs View pricing

COVERS

OpenAI / Anthropic / Google / Cohere keys

AWS, GCP, Azure cloud secrets

Ethereum, Solana, PEM private keys

Postgres, MySQL, Mongo, Redis URLs

GitHub / GitLab / npm tokens

Stripe / Twilio / SendGrid keys

Slack, Discord, HubSpot, PagerDuty tokens

JWT, Cloudflare, DigitalOcean, Notion tokens

US SSNs and credit card numbers

Docker Hub, Shopify, Linear, Dropbox tokens

Firearbitrum, Heroku, Mailgun, Mailchimp keys

Tainted derivations (summaries, embeddings)

WHY KEYSPOT

40+ Built-in Patterns

Detect API keys, crypto private keys, cloud credentials, DB URLs, JWTs, and more — across Web2 and Web3.

Vault & Replace

Secrets are replaced with HMAC-signed vault references. The agent never holds a raw secret.

Taint Tracking

Derived summaries, embeddings, or transformed copies of secrets are caught and redacted automatically.

PromptShield

18 jailbreak detection rules block prompt injection, system extraction, and tool abuse before they reach the LLM.

Worker Isolation

Every scan runs in an isolated thread or V8 sandbox. Your main loop is never blocked or exposed.

Audit & Compliance

Hash-chained, Ed25519-signed audit logs. Optionally anchored to Arbitrum One blockchain. Zero secrets ever logged.

WORKS WITH

LangChain

Anthropic SDK

OpenAI SDK

OpenClaw

Hermes

Manus

Claude Code

Express

Pinecone

Chroma

Qdrant

Weaviate

LanceDB

Milvus

Docker (self-host)

Python 3.10+

An agent should never holda secret longer than it needs to.

An agent should never hold
a secret longer than it needs to.