Terminal security for developers and AI agents. Intercepts homograph URLs, pipe-to-shell, ANSI injection, obfuscated payloads, data exfiltration, and malicious AI skills/configs before they execute.
2.6k
Stars
86
Forks
18
Open issues
2
Contributors
AI Analysis
Tirith is a terminal security tool written in Rust that intercepts and blocks malicious commands before execution, protecting against homograph attacks, pipe-to-shell exploits, ANSI injection, obfuscated payloads, and credential exfiltration. It's designed specifically for developers and AI agents who execute untrusted shell commands or install packages, filling a gap that browsers solved years ago but terminals have not. This tool is essential for security-conscious developers, DevOps engine...
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Terminal security interceptor for shell commands and AI agent execution, catching homograph attacks and injection payloads before execution
Tirith is a Rust-based security gate that intercepts shell commands, pastes, and file scans to detect 221 attack patterns across 34 categories: homograph URLs, pipe-to-shell chains, ANSI injection, base64 decode-execute, credential exfiltration, and malicious AI configs. Built for developers and AI agent operators who work with untrusted input. Created February 2026, rapidly gaining traction (2,499 stars in ~5 months, 31 gained in last week), with Vercel OSS program backing. Adoption not yet verified at scale, but README signals active maintenance and production readiness.
Launched February 2026 as a response to rising homograph and terminal injection attacks, particularly targeting developers copy-pasting commands and AI agents executing untrusted shell directives without validation. Positions itself as the terminal-equivalent of browser URL-bar security, addressing a historically under-protected attack surface.
Rapid early adoption curve (2,499 stars since February, 31 in the last 7 days as of June 2026) suggests resonance with security-conscious developer and AI-ops communities. Growth rate peaked in initial weeks, now settling into steady weekly gain (~4–5 stars/day). Vercel OSS program sponsorship (Spring 2026 cohort) indicates external validation and hosted visibility. Presence on npm, cargo, brew, apt/dnf, and mise suggests multi-ecosystem distribution strategy from launch.
Adoption not verified. No GitHub discussion, blog posts, or public deployment announcements inspected. README includes no case studies, testimonials, or quantified user base. Presence on multiple package managers suggests infrastructure readiness, but does not confirm production use. Vercel OSS backing and website (tirith.sh) indicate professional project presentation, not necessarily production adoption. Early star velocity is hype signal, not proof of real-world deployment.
Likely implements shell-level hooks (via `eval` in shell rc-files) that intercept command strings before execution, routes them through pattern-matching rules, and either blocks/warns or allows continuation. Based on README: supports zsh, bash, fish with near-zero latency claimed. Appears to use a signed threat intelligence database for domain/IP/package reputation. Sub-millisecond overhead implies compiled (Rust) rule engine, not interpreted scripting. No source code inspected; architecture inferred from README and use-case description.
Not documented in README. CI badge present (GitHub Actions), suggesting automated testing pipeline exists, but test count, coverage percentage, and scope not disclosed.
Repository active as of 2026-06-29 (last push today). CI pipeline passing. Changelog and releases tracked. Created Feb 2026, so only ~4.5 months old; maturity is early-stage but signals are positive. Weekly-to-daily commit cadence (inferred from 31-star gain in 7 days suggesting continued feature/fix work). No evidence of maintenance debt or stalled issues. AGPL-3.0 license may limit some adoption.
ADOPT IF: you routinely copy-paste shell commands from untrusted sources, manage AI agents that execute arbitrary directives, work in security-sensitive environments, or operate in high-phishing-risk contexts. Zero friction on clean input and Cyrillic homograph detection alone justifies trial. AVOID IF: you operate in deeply air-gapped environments where shell performance and hook overhead are critical, or your compliance model requires approved-vendor-only tools (AGPL-3.0 license may conflict). MONITOR IF: you are a large enterprise considering adoption—real-world production case studies and adoption numbers are absent. Early-stage project with solid technical approach but unproven at scale. Re-evaluate in 6–12 months when adoption data becomes available.
Independent dimensions
Mainstream potential
4/10
Technical importance
7/10
Adoption evidence
2/10
- Adoption not verified at scale—star count is promotional signal, not proof of production deployment. May suffer from early-project hype/churn.
- AGPL-3.0 license may deter enterprise and closed-source tool integrations; copyleft requirement could limit ecosystem reach.
- Rule-set maintenance burden: 221 detection rules across 34 categories require ongoing refinement. False positives or false negatives could erode trust; no evidence of third-party rule vetting or threat-intelligence partnership.
- Shell-hook model may conflict with existing security tools, container runtimes (Docker, Podman), or restricted environments. Bypass via `TIRITH=0` weakens security guarantees if not monitored.
- Attack surface is homophone/visual-attack focus; does not defend against supply-chain compromise of the packages themselves (only command-line execution). Orthogonal to other supply-chain defenses.
Likely to remain a specialized, high-adoption tool within security-conscious developer and AI-ops communities. Unlikely to reach 10,000+ stars or become dominant in any broader category. More probable trajectory: niche maturity (stability, rule refinement, ecosystem integrations) than exponential growth. Success measured by integration into AI agent frameworks and corporate security policies, not raw star count. AGPL license may limit enterprise adoption; permissive relicense could accelerate mainstream adoption.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Website
- https://tirith.sh
- Language
- Rust
- License
- AGPL-3.0
- Last updated
- 1d ago
- Created
- 5mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Open pull requests
Top contributors
Similar repos
tirrenotechnologies/tirreno
Tirreno is a self-hosted PHP/PostgreSQL security framework designed to detect...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
2.6k | +26 | Rust | 8/10 | 1d ago |
|
|
1.2k | — | TypeScript | 7/10 | 15h ago |
|
|
73.1k | — | TypeScript | 9/10 | 2w ago |
|
|
4.2k | — | TypeScript | 7/10 | 1d ago |
|
|
1.5k | — | PHP | 7/10 | 7d ago |
|
|
8.4k | — | TypeScript | 8/10 | 12h ago |
Broader AI agent security surface (skills, configs, execution context). Tirith is terminal-focused; terax-ai appears to intercept at agent framework level. Different threat models; not direct replacements.
Smaller ecosystem. Tirith's Rust implementation and multi-language shell support position it differently; tirreno's domain/focus not clear from repo list.
Tirith is terminal analogue—tackles same attack vectors (homograph, injection) but at shell/CLI layer. No overlap with deployed browser security; complementary problem space.
Tirith intercepts *command execution*, not package dependencies. Covers different phase: pre-execution defense vs. post-install audit. Both can coexist.
Tirith is *preventive* (blocks before exec); audit tools are *post-incident* (logs after). Different security posture; Tirith is stricter.