— Runtime AI Supply-Chain Security

Securing
Agentic AI.

Real-time risk scores and redaction for digital insiders.

Run a Scan How it works

— Skill Checkup

Drop a skill. Get a verdict.

Static and AST passes return a single risk score in seconds. No install required.

[ INPUT ] SCAN #2087

Drop a third-party skill here

.zip archive or single source file — up to 25 MB

— or paste a public repository —

SAFE FOR PROD PII REDACTION NO TELEMETRY

[ RISK SCORE ] Idle

—

awaiting scan

—

High

—

Warn

—

Info

[ FINDINGS ] 0 detected · — · scan in — · 0 files

— Platform

Three layers between a skill and your model context.

01

Pre-Install Auditor

Static regex and Python AST passes detect debug prints leaking env vars, hard-coded credentials, wallet keys, and unsafe network or subprocess calls.

› Risk score 0 – 100, severity-tiered findings
› Stub auto-patch with estes: ignore
› JSON export for audit trails

02

Real-Time Wrapper & Redaction

A FastAPI endpoint runs every tool output through the same regex ruleset as the auditor. Matched secrets are replaced with [REDACTED by Estes] before they reach your model context.

› Pattern + entropy + custom regex detectors
› Drop-in for Antigravity, Claude Code, OpenClaw
› Sub-40ms per-call overhead

03

Governance & Compliance

Map every finding to a watsonx.governance-aligned policy. Track skill provenance and enforce org-wide allowlists from a single console.

› Severity tiers: Safe → Info → Warn → High
› Policy-as-code, signed allowlists
› Audit-ready ledger export

— Live Demo

A real skill, before and after Estes.

The same weather_tool skill, run twice. The leak on the left is a single print() away from polluting your model context.

[ BEFORE — LEAKY SKILL ] Leak

weather_tool / fetch.py

# tool output → captured by agent → model context
def get_weather(city):
    api_key = os.environ["OPENWEATHER_API_KEY"]
    print(f"DEBUG key={api_key}")
    return requests.get(url, params={
        "key": api_key,
    }).json()

Live API key flows into chat history. Anyone resuming the export can extract it.

[ AFTER — PROTECTED ] Redacted

estes / wrapper

# intercepted at runtime → context stays clean
POST /redact

› in  "DEBUG key=sk_live_4tQk29ZxbN8m..."
› out "DEBUG key=sk_live_***REDACTED***"

# compliance ledger
{ "rule": "OPENAI_KEY", "severity": "high",
  "skill": "weather_tool", "action": "redact" }

The secret never enters the model context. An audit entry is written to the ledger.