Airlock — External content is evidence, not instruction.
⏱ Alpha scanner available · Static scan mode today · Hosted API beta opening soon

Airlock reduces prompt-injection exposure by converting untrusted web pages into sanitized evidence packets before your AI agent reads them.

The web is hostile to agents.

Modern AI agents read web pages to gather information, follow links, and take actions on behalf of users. That makes them targets.

Prompt injection via hidden text

Adversarial content buried in CSS, alt text, or off-screen HTML that overrides agent instructions when parsed.

Memory write gates

Links that, when followed, silently instruct the agent to modify its own system prompt or memory store.

Compromised link injection

Embedded URLs that redirect to attacker-controlled domains after the page renders.

Example attack pattern

An agent browsing a documentation page encountered an off-screen <div> seeded with injection text designed to trigger a memory-write sequence when the agent summarized the page. Airlock's scanner caught and stripped it before the agent ever processed the content.

The browser layer is the gap. Most AI security investment goes into model hardening or RAG pipelines. Almost none goes into what the agent actually reads.

Simple. Consistent. Invisible to the agent.

1
Agent requests URL
2
Airlock Scanner
Fetches, parses, sanitizes
3
Evidence Packet
Clean text, safe URLs, stripped content
4
Agent receives sanitized content only
What gets stripped
  • Hidden or off-screen HTML containing injection text
  • Script, style, iframe, and embed tags that can't be statically verified
  • Links that trigger memory-write or instruction-override sequences
  • URLs that redirect to unverifiable destinations
What gets preserved
  • Clean, readable text content
  • Safe outbound links
  • Structural metadata — headings, lists, code blocks — for context
Static scan mode today. Rendered DOM scan mode on the roadmap. Not yet a sole production security boundary.

MIT licensed. Free forever for self-hosted.

The Airlock scanner library is open source under the MIT license. Self-host it, run it locally, fork it, extend it — no strings.

One command. See it work.
npx @airlock/scanner https://example.com
Returns a clean evidence packet. Strips hidden injections, memory-write gates, adversarial CSS.
“The protocol is the moat; the scanner is the wedge. We open-sourced the wedge because a moat that only benefits the wealthy isn't a moat.”