Discover secrets
ShellFrame scans local project configuration before the agent starts and asks the developer what should be protected.
Local-first security for AI coding agents
Run AI agents without exposing real secrets.
ShellFrame AI gives Claude, Codex, Cursor, and other coding agents short-lived virtual credentials while real API keys stay protected on the developer machine.
Secret virtualization
Network policy
Agent audit trail
$ agentsecure run claude
found .env secrets
DATABASE_URL=virt_database_J8s...
STRIPE_API_KEY=virt_stripe_N4d...
runtime: command-guard
network: credential-aware
cloud: reporting security events only
Live session
Protected
Secrets exposed
0
Blocked sends
3
Runtime
Local
Mode
Guard
How it works
A thin security frame around the agent.
Issue virtual keys
The agent sees temporary virtual values. Real credentials are resolved locally only when policy allows the request.
Control outbound access
Credential-bearing network calls are checked before they leave the machine, with security events sent to the console.
Trust model
Designed so the cloud does not need your secrets.
ShellFrame is built around a local-first boundary. The cloud console manages policy, devices, sessions, and security events. Secret material stays on the developer machine.
Cloud can see
- Device and session metadata
- Agent runtime status
- Policy and blocked-event summaries
- Network destinations, when reported
Cloud cannot see
- Real API keys
- Raw .env contents
- Source code
- Agent prompts or request bodies
For teams
Visibility and defaults before AI agents become shadow infrastructure.
Configure default protection for every enrolled machine, see which agents are running, review blocked requests, and clean up stale devices from one cloud console.
Go to console