Summary

CrabTrap is an HTTP/HTTPS proxy designed to secure AI agents operating in production environments by acting as an intermediary between agents and external APIs. It intercepts all outbound requests, evaluating them against configurable security policies—combining deterministic static rules with an LLM-based judge—before allowing them to proceed to the internet. This provides essential guardrails for agents interacting with services like Slack, Gmail, or GitHub, ensuring adherence to security protocols and logging all decisions for a comprehensive audit trail.

How It Works

Agents are configured to route their outbound traffic through CrabTrap. The proxy transparently terminates TLS connections, enabling inspection of request content. Initially, requests are matched against predefined static rules based on URL patterns and HTTP methods; matching requests are acted upon immediately without LLM involvement. If no static rule applies, the request is passed to an LLM judge, which evaluates it against a natural-language security policy defined for the specific agent. Approved requests are forwarded, while denied requests receive a 403 status with a reason. All interactions are logged to a PostgreSQL database. This two-tier evaluation strategy optimizes performance by leveraging fast static checks before invoking the more resource-intensive LLM.

Quick Start & Requirements

CrabTrap runs as a Docker container alongside PostgreSQL. The primary setup involves:

docker compose up -d

This command starts the proxy and database. Users must then copy the generated CA certificate (ca.crt) for TLS inspection and create an admin user to obtain an authentication token for testing. The proxy listens on localhost:8080, and the admin UI is accessible at localhost:8081. Prerequisites include Docker and Docker Compose.

Highlighted Details

• HTTPS Interception: Transparent MITM proxy with dynamic TLS certificate generation using a custom CA.
• SSRF Protection: Blocks requests to private IP ranges (RFC 1918, loopback, CGNAT, etc.) with DNS-rebinding prevention.
• Prompt Injection Defense: Payloads are JSON-encoded, and policy content is JSON-escaped before LLM evaluation.
• Policy Builder: An agentic loop analyzes observed traffic to automatically draft security policies.
• Eval System: Allows replaying historical audit log entries against policies to measure accuracy.
• Per-IP Rate Limiting: Configurable token bucket rate limiter (default 50 req/s).

Maintenance & Community

Releases are automated via GitHub Actions using GoReleaser. The project structure includes dedicated modules for proxying, policy evaluation, LLM integration, auditing, and a React-based admin UI. Specific community channels (e.g., Discord, Slack) or notable contributors are not detailed in the README.

Licensing & Compatibility

This project is licensed under the MIT License, which is permissive and generally suitable for commercial use and integration into closed-source applications.

Limitations & Caveats

CrabTrap functions exclusively as an outbound forward proxy for agent-originated traffic and is not an inbound firewall or WAF. It does not redact sensitive data within requests (e.g., Authorization headers) as the proxy itself is the trust boundary. The system does not offer human-in-the-loop approval workflows, nor does it inspect API responses or WebSocket frames after the initial upgrade request.