CrabTrap: An LLM-as-a-judge HTTP proxy to secure agents in production

· security ai tools · Source ↗

Article

TL;DR

Brex open-sources CrabTrap, an LLM-as-judge HTTP proxy that approves or rejects AI agent requests.

Key Takeaways

  • Proxy intercepts all agent HTTP traffic; an LLM judge approves or denies each request
  • Judge and agent sharing model families means shared prompt-injection vulnerabilities
  • By intercept time, the agent has already read credentials — judge sees too late

Discussion

Top comments:

  • [simonw]: Code comment claims JSON-escaping policy prevents prompt injection — this is naive
  • [ArielTM]: Judge and agent from same provider share injection vulnerabilities; need different architectures
  • [roywiggins]: What stops the agent from prompt-injecting the judge itself
  • [foreman_]: LLM judge belongs in audit layer on top of kernel controls, not as enforcement

Discuss on HN