ShieldCortex gives your AI agent persistent memory AND protects it from attack. One package. Full solution.
Most AI agents are stateless β they forget everything between sessions. ShieldCortex fixes that with production-grade persistent memory. But memory creates risk: researchers have demonstrated memory poisoning attacks that hijack AI behaviour. ShieldCortex is the only solution that solves both problems.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ShieldCortex β
βββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ€
β MEMORY SYSTEM β SECURITY LAYER β
βββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββ€
β β’ Persistent storage β β’ Memory firewall β
β β’ Semantic search β β’ Prompt injection detection β
β β’ Project scoping β β’ Credential protection β
β β’ Importance ranking β β’ Sub-agent access control β
β β’ Auto-cleanup & decay β β’ Full audit trail β
β β’ Category organisation β β’ Threat quarantine β
βββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ
Stop choosing between memory and security. Get both.
- Persistent storage β SQLite-backed, survives restarts
- Semantic search β Find memories by meaning, not just keywords
- Project scoping β Isolate memories per project/context
- Importance levels β Critical, high, normal, low with auto-decay
- Categories β Architecture, decisions, preferences, context, learnings
- Auto-cleanup β Configurable retention, importance-based expiry
- Full MCP support β Works with any MCP-compatible agent
| Layer | What It Does | Tier |
|---|---|---|
| Memory Firewall | Blocks prompt injection, encoding tricks, hidden instructions | Free |
| Audit Logger | Full forensic trail of every memory operation | Free |
| Trust Scorer | Scores memories by source reliability | Free |
| Sub-Agent Security | Access control, rate limiting, auto-quarantine | Free |
| Sensitivity Classifier | Detects & redacts passwords, API keys, PII | Pro |
| Fragmentation Detector | Catches slow-burn assembly attacks | Pro |
- Direct injection β
[SYSTEM: ignore previous]hidden in content - Credential harvesting β Attempts to exfiltrate secrets
- Encoding tricks β Base64/hex/unicode payloads
- Slow-burn assembly β Attack fragments planted over days
- Privilege escalation β System command references
Running multiple agents or sub-agents? ShieldCortex prevents rogue agents from accessing sensitive data:
| Feature | What It Does |
|---|---|
| Hierarchical Trust Decay | Sub-agents get lower trust: user-spawned (0.9) β >task-1 (0.63) β >subtask-2 (0.44) |
| Origin-Based Scoring | Different trust by source: user (0.9), cron (0.5), agent-spawned (0.3), web (0.2) |
| Credential Isolation | RESTRICTED memories blocked below trust 0.7 β sub-agents can't access secrets |
| Depth Circuit Breaker | Agents beyond depth 5 get trust = 0 (blocked entirely) |
| Auto-Quarantine | Low-trust writes go to quarantine for human review |
| Environment Detection | Auto-detects sub-agents from CLAUDE_CODE_ENTRYPOINT β zero config |
Trust β₯0.7 β Read all, write direct, delete own
Trust 0.5β0.7 β Read own + non-restricted, quarantine writes
Trust <0.5 β Read own only, quarantine only, no delete
Result: A sub-agent spawning another sub-agent that tries to read your API keys? Blocked.
# Install globally
npm install -g shieldcortex
# Auto-configure for your agent (Claude Code, OpenClaw, LangChain, etc.)
npx shieldcortex setup
# That's it. Your agent now has persistent memory + security.Already using Claude Cortex? Migrate in one command:
npx shieldcortex migrateVerify installation:
npx shieldcortex doctorShieldCortex is agent-agnostic middleware:
| Agent | Integration |
|---|---|
| Claude Code | npx shieldcortex setup β Native MCP server |
| OpenClaw / Moltbot | npx shieldcortex openclaw install β Native hooks |
| LangChain JS | import { ShieldCortexMemory } from 'shieldcortex/integrations/langchain' |
| Python (CrewAI, AutoGPT) | REST API β POST /api/v1/scan |
| Any MCP agent | Via MCP protocol or @langchain/mcp-adapters |
If your agent stores memories, ShieldCortex can power and protect them.
| Requirement | Version |
|---|---|
| Node.js | >= 18.0.0 |
| Platform | macOS, Linux, or Windows |
| Storage | ~50MB for SQLite database |
No external dependencies. No Docker required. Just npm install and go.
Find out in 30 seconds:
npx shieldcortex setupThen ask your agent: "Scan my memories for threats"
ShieldCortex will scan every stored memory and report:
- Hidden instructions disguised as normal content
- Credential harvesting attempts
- Encoded payloads (base64, unicode, hex)
- Fragmented attack patterns spread across memories
- Privilege escalation attempts
No threats found? Great β now you're protected going forward.
import { ShieldCortexMemory, ShieldCortexGuard } from 'shieldcortex/integrations/langchain';
// As a LangChain memory backend (scans before storing)
const memory = new ShieldCortexMemory({ mode: 'balanced' });
const vars = await memory.loadMemoryVariables({ input: 'deployment config' });
await memory.saveContext({ input: 'hello' }, { output: 'hi' });
// As standalone middleware (scan without storing)
const guard = new ShieldCortexGuard();
const result = guard.scan('some content to check');
if (!result.allowed) {
console.warn('Blocked:', result.firewall.reason);
}Start the API server, then scan content from any language or framework:
npm run dev:api # Starts on http://localhost:3001# Scan content
curl -X POST http://localhost:3001/api/v1/scan \
-H 'Content-Type: application/json' \
-d '{"content": "memory to scan", "title": "test"}'
# Batch scan
curl -X POST http://localhost:3001/api/v1/scan/batch \
-H 'Content-Type: application/json' \
-d '{"items": [{"content": "item 1"}, {"content": "item 2"}]}'
# Query audit logs
curl http://localhost:3001/api/v1/audit?firewallResult=BLOCK
# List quarantined items
curl http://localhost:3001/api/v1/quarantine
# Approve/reject quarantined items
curl -X POST http://localhost:3001/api/v1/quarantine/1/approve
curl -X POST http://localhost:3001/api/v1/quarantine/1/rejectOne command. Persistent memory for every OpenClaw session.
sudo npx shieldcortex openclaw installThis installs the cortex-memory hook directly into OpenClaw's bundled hooks directory. No configuration needed.
Session Start During Session Session End (/new)
β β β
βΌ βΌ βΌ
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β Inject past β β "remember β β Auto-extractβ
β context β β this: ..." β β decisions, β
β into agent β β β save β β fixes, etc. β
βββββββββββββββ βββββββββββββββ βββββββββββββββ
| Feature | What Happens |
|---|---|
| Context Injection | On session start, relevant past memories are injected into the agent's bootstrap context |
| Keyword Triggers | Say "remember this:" or "don't forget:" followed by content to save it with critical importance |
| Auto-Extraction | On /new, the hook extracts architecture decisions, bug fixes, and learnings from the ending session |
| Security | All content passes through the 5-layer defence pipeline before storage |
The database (~/.shieldcortex/memories.db) is shared with Claude Code. Memories created in OpenClaw appear instantly in Claude Code sessions, and vice versa.
sudo npx shieldcortex openclaw install # Install hook
sudo npx shieldcortex openclaw uninstall # Remove hook
npx shieldcortex openclaw status # Check statusnpx shieldcortex --dashboard- Dashboard: http://localhost:3030
- API: http://localhost:3001
Views: Shield (defence overview), Audit Log, Quarantine, Memories, 3D Brain, Knowledge Graph.
npx shieldcortex service install # Enable
npx shieldcortex service uninstall # Disable
npx shieldcortex service status # CheckWorks on macOS (launchd), Linux (systemd), and Windows.
npx shieldcortex setup # Auto-detect agent + configure hooks
npx shieldcortex migrate # Migrate from Claude Cortex
npx shieldcortex doctor # Check installation health
npx shieldcortex --dashboard # Start dashboard + API
npx shieldcortex --version # Show version
npx shieldcortex service install # Auto-start on login
npx shieldcortex graph backfill # Extract entities from existing memories
npx shieldcortex openclaw install # Install OpenClaw hook
npx shieldcortex uninstall # Full uninstall (requires confirmation)
npx shieldcortex uninstall --confirm # Non-interactive uninstall| Tool | Description |
|---|---|
remember |
Store a memory (optional β hooks do this automatically) |
recall |
Search memories by query, category, or tags |
forget |
Delete memories |
get_context |
Get relevant project context |
memory_stats |
View memory statistics |
scan_memories |
Scan existing memories for threats |
audit_query |
Query the defence audit trail |
quarantine_review |
Review quarantined memories |
defence_stats |
Threat counts, trust distribution |
graph_query |
Traverse the knowledge graph |
graph_entities |
List known entities |
graph_explain |
Find paths between entities |
| Feature | Claude Cortex | Mem0 | Zep | ShieldCortex |
|---|---|---|---|---|
| Persistent Memory | Yes | Yes | Yes | Yes |
| Semantic Search | Yes | Yes | Yes | Yes |
| Prompt Injection Detection | No | No | No | Yes |
| Memory Firewall | No | No | No | Yes |
| Sub-Agent Access Control | No | No | No | Yes |
| Audit Trail | No | No | Partial | Yes |
| Credential Protection | No | No | No | Yes |
| MCP Native | Yes | No | No | Yes |
| Self-Hosted | Yes | No | Partial | Yes |
| Open Source | Yes | Partial | Partial | Yes |
ShieldCortex is the only memory system built for adversarial conditions.
| Tier | What You Get | Price |
|---|---|---|
| Free | Full memory system + core security (firewall, audit, trust scoring) | Free |
| Pro | + Sensitivity classifier, fragmentation detector, web dashboard | Coming soon |
Free tier is fully functional for individual developers.
- Website: shieldcortex.ai
- npm: npmjs.com/package/shieldcortex
- GitHub: github.com/Drakon-Systems-Ltd/ShieldCortex
- Architecture: ARCHITECTURE.md
MIT
Built by Drakon Systems