GitFeed
Back to feed

Secure AI Agent Outbound Traffic with CrabTrap

brexhq/CrabTrap
397
+165/day
31
GoSecurity💎 Hidden Gem

An LLM-as-a-judge HTTP proxy to secure agents in production

AI Analysis

An LLM-as-a-judge HTTP proxy for enforcing security policies on agent-originated traffic.

Built for Engineers building production AI agents who need to prevent unauthorized API access and prompt injection.

From the README

CrabTrap

An HTTP/HTTPS proxy that sits between AI agents and external APIs, evaluating every outbound request against security policies before it reaches the internet.

If you run AI agents that call external services — Slack, Gmail, GitHub, or anything else — CrabTrap gives you guardrails. It intercepts every outbound HTTP/HTTPS request, checks it against deterministic rules and an LLM-based policy judge, and either forwards it or blocks it with a reason. Every request and decision is logged to PostgreSQL for a complete audit trail.

Quickstart

CrabTrap runs as a Docker container alongside PostgreSQL. See QUICKSTART.md for the full walkthrough — the short version:

docker compose up -d                                                    # start CrabTrap + Postgres
docker compose cp crabtrap:/app/certs/ca.crt ./ca.crt                   # copy the generated CA cert
# create test-admin admin user and store their web_token in a variable
admin_token=$(docker compose exec -it crabtrap ./gateway create-admin-user test-admin \
    | tail -n1 | cut -d" " -f2)
token=$(curl -X POST  \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${admin_token}" \
    -d '{"id": "alice@example.com", "is_admin": false}' \
    | jq -r '.channels[] | select(.channel_type == "gateway_auth") | .gateway_auth_token')
# test with
curl -x  \
    --cacert ca.crt

The proxy listens on localhost:8080, the admin UI is at localhost:8081 and you can login to it with the $admin_token.

How It Works

  1. Agent connects — set HTTP_PROXY and HTTPS_PROXY to point at CrabTrap
  2. TLS termination — CrabTrap generates a per-host certificate from a custom CA and decrypts the request
  3. Static rules — the request is matched against URL pattern rules (prefix, exact, or glob). If a rule matches, the decision is immediate — no LLM call. Deny rules always take priority over allow.
  4. LLM judge — if no static rule matches, the request is evaluated by an LLM against the agent's natural-language security policy. Allowed requests are forwarded; denied requests get a 403 with the reason.
  5. Audit logged — every request, decision, and response is recorded in PostgreSQL

Features

Security

  • HTTPS interception — transparent MITM proxy with custom TLS server certificate generation
  • SSRF protection — blocks requests to private networks (RFC 1918, loopback, link-local, Carrier-Grade NAT, IPv6 ULA/NAT64/6to4) with DNS-rebinding prevention
  • Prompt injection defense — request payloads are JSON-encoded and policy content is JSON-escaped before being sent to the LLM judge
  • Per-IP rate limiting — token bucket rate limiter (default 50 req/s, burst 100)

Policy Evaluation

  • Two-tier evaluation — deterministic static rules are checked first; the LLM judge is only invoked if no rule matches
  • Static rules — prefix, exact, and glob URL pattern matching with optional HTTP method filters
View on GitHub