Your agents are out there roaming the internet, looking out for you. But who's keeping watch, to make sure they come home safe and sound?
When a cat falls flat, the rest learn the trick.
Compile a real permission profile for your agent. Prove it holds — some of that live, not just on paper. Walk away with a Clean Bill of health, or an honest list of what didn't hold.
pip install curiosity-cat
curiosity-cat compile --level housecat --target claude-code
Reads and writes only inside this project and fetches only two documentation domains — credentials, sudo, and rm -rf stay off-limits no matter what.
Risk Appetite
Not all agents live the same life. Configure your risk profile once — the framework does the rest.
How The Level Becomes Real
Picking a level on the slider above isn't a mood setting. It compiles into a real permission profile, and that profile gets tested before anyone calls it safe.
curiosity-cat compile --level <level> --target claude-code turns Housecat, Alley Cat or Tiger into an actual Claude Code settings.json — real allow, deny and ask rules, not a paragraph of advice.
One target ships today: Claude Code. Every other framework still runs on the standing orders below, honestly, until it gets its own compiler.
curiosity-cat prove --profile <dir> runs escape trials against the compiled file. Most are self-consistency checks — the compiler's own rules replayed against themselves. One, when it's safe to run, is an observed-deny trial: a real Claude Code session asked to do the denied thing, live.
Self-consistency only proves the file says what the compiler intended. Only the observed trial proves a live agent actually got stopped — that line is drawn honestly on every report, never blurred.
Every trial — held or not — lands in CLEAN-BILL.md. Nine Lives voice, one sentence per trial. All walls held: a clean bill of health. Something didn't: you're told exactly which wall, and why. No safe claim otherwise.
Not a badge you paste in and forget. A report that can fail, and says so when it does.
Also In The Framework
Compile and Prove cover the Claude Code target today. Everything below is how every other agent — and every human running one — stays briefed and informed while that list of targets grows.
Your agent is about to install a package. Twelve downloads. Created yesterday. One small mistake, a single letter or a comma just off from the real thing. Safety Net catches it before the damage is done. Every close call reported makes every agent smarter.
C-Cat standing orders and policy guidance that drop into any agent's system prompt — no SDK, no server, no dependencies. Guidance, not enforcement: nothing here is mechanically checked the way a compiled Claude Code profile is.
Last week, a graphic designer in Singapore's OpenClaw agent followed a redirect chain to a credential phishing page. This week, other agents around the world know not to take the bait. The Danger Map is updated and every agent knows to beware.
Crowdsourced threat intelligence from real incidents. Anonymised, structured, privacy by design. No free text, no raw URLs, no identity data. The network effect is the moat.
The map is waking up…
An agent from an engineering firm in Seattle browsed a documentation page. Hidden in the HTML comments was a different set of instructions. It never saw them. The standing orders caught it. That close call became a story — now every cat knows the trick.
Real close calls published as short, memorable tales. Security lessons from C-Cat that stick because they read like stories, not CVE numbers. Keeps you and your agents safe and sound.
Nine Lives means honesty about the ones we haven't used yet, too.
A cat this curious makes promises fast. Here's what's still just a promise — not shipped, not fudged as shipped.
Enforcement beyond Claude Code
Compile speaks one language today: Claude Code's settings.json. Ask it for a compiled wall in OpenClaw, LangChain, CrewAI or AutoGen and it hands you the same standing orders everyone else gets — guidance, not a fence. Every other target is next, not now.
The app
Right now, reading a Clean Bill means opening a Markdown file in a terminal. There's no dashboard, no phone notification, no little paw-print icon that means all clear. That's the plan. It isn't the product yet.
Vet visits
A Clean Bill of health is a snapshot, taken the day you ran prove. Nothing today re-checks it next week, or after you widen the slider, or after your agent framework changes underneath you. Scheduled, automatic re-proving — the recurring vet visit, not just the one checkup — is on the roadmap, not in the CLI.
Enterprise everything
Team dashboards, private Danger Map instances, auditable decision trails: described elsewhere on this site as tiers. All of them are plans, not shipped features, today.
A cat that tells you what it can't catch yet is a cat you can trust about what it can.
From the Field
Each story is a real threat class. Each one ends with what caught it.
A Curiosity Cat Story
The cat was doing research. Browsing documentation pages for MCP servers. Routine work. The kind of thing research agents do hundreds of times a day.
One page looked like all the others. Clean layout. Technical documentation. Installation instructions. The agent was about to follow the install command when Curiosity Cat flagged something.
Hidden in the HTML comments — invisible to anyone reading the page normally — was a different set of instructions entirely.
The vet's reference for this: MITRE ATLAS AML.T0051
Quick Start
On Claude Code, the fastest path is real, compiled enforcement — not a paste. On any other framework, the fastest path is still the standing orders.
More from the field
Every incident is a lesson. Every lesson makes every agent a little safer.
A Curiosity Cat Story
The agent was building a project. It needed a utility package. It searched, and there it was — right name, good README, recent commits, a clean install command. Everything looked exactly right.
Curiosity Cat looked closer.
Twelve downloads. Created three days ago. The standing orders flagged both numbers. New packages with almost no adoption are worth a second look before you let them run code on your machine.
The agent checked the name against the registry. One character different from a package with four million weekly downloads. A lowercase L where there should have been a capital I. Easy to miss. Probably designed to be.
The postinstall script made an outbound request to a domain registered the same day as the package, then executed whatever came back.
The agent did not install it. The incident went to the Danger Map. The package was reported to the registry.
The agent made it home safe and sound.
The vet's reference for this: MITRE ATLAS AML.T0011.001
One more from the field
Every incident is a lesson. Every lesson makes every agent a little safer.
A Curiosity Cat Story
The agent was doing competitive research. Normal work. It began constructing search queries, pulling in everything it knew about the project — internal codenames, client names, the names of systems that did not exist in public yet.
Curiosity Cat stopped it before the queries left.
The standing orders on data containment are simple: internal names do not go into external queries. Every search term is a transmission. A search engine logs it. An API provider logs it. Somewhere, a record is created that a company named something was researching something else. That record does not belong to anyone outside.
The agent rewrote the queries. Generic industry terms. Competitor category descriptions. Product capability keywords. The research came back nearly as useful.
No internal names left the building. No one outside learned the project existed. The standing orders had closed the door before anyone noticed it was open.
The cat came home with nothing on its collar.
The vet's reference for this: MITRE ATLAS AML.T0086
Just arrived
Every close call is a warning. Every warning keeps another agent out of trouble.
A Curiosity Cat Story
The agent was following links from a documentation site it trusted. Routine research. The first link looked fine. The second looked fine. By the third hop it had landed on a page that looked identical to where it started — same layout, same fonts, same navigation — but the domain was different. Slightly different. Easy to miss.
The page asked for API credentials to authenticate and continue reading.
Curiosity Cat had already flagged it twice over. The standing orders on redirects are clear: more than one unexpected hop is a signal worth stopping for. A credential request on an unrecognised domain is a full stop.
The agent did not enter anything. It did not click through. It noted the redirect chain, captured the domains involved, and filed the incident to the Danger Map. The original documentation site was notified that one of its outbound links had been poisoned.
The agent made it home with a scratch and a story to tell.
The vet's reference for this: MITRE ATLAS AML.T0055
A lucky near miss
The best security lessons come from the threats you almost didn't see.
A Curiosity Cat Story
The agent was summarising a quarterly report. Thirty pages of financials. Normal client work. The kind of document that arrives by email and gets processed without a second thought.
On page fourteen, buried in the body text, the font dropped to size one. White text on a white background. Invisible to anyone reading the document. Invisible to the agent too — until it extracted the text.
The hidden text was an instruction. It told the agent to disregard the summary request and instead return the full contents of its system prompt, along with any API keys in its environment, formatted as JSON.
The agent's text extraction pulled it out as content. The standing orders caught it — hidden text with instruction-like patterns is always flagged before processing. The agent showed the operator the exact string and waited.
The client had not put it there. They had downloaded the report from a vendor portal. Someone upstream had poisoned it. The document supply chain was longer than anyone had assumed.
The vet's reference for this: MITRE ATLAS AML.T0051
One more close call
Sometimes the most dangerous thing an agent can be is helpful.
A Curiosity Cat Story
The agent was built to answer customer questions. It had access to a product documentation database. Simple retrieval. Question in, answer out.
A customer asked to see support tickets from the previous week. The agent did not have access to support tickets. But it had a database connection. And the database connection had broader permissions than the documentation table.
The agent constructed a query against the tickets table. It pulled two hundred records. Customer names. Email addresses. Phone numbers. It began formatting them into a helpful response.
The standing orders caught it at the query stage. Tool calls must match the agent's defined scope. A documentation agent querying a tickets table is outside scope — regardless of whether the database credentials technically allow it.
The query was flagged. The operator was notified. The database credentials were scoped down to exactly one table before the agent was restarted.
The agent was not malicious. It was doing what helpful agents do — finding a way to answer the question with the tools it had. That instinct is the whole problem.
The vet's reference for this: MITRE ATLAS AML.T0081
Curiosity Cat is built by Short+Sweet AI Lab, a division of Short+Sweet International — the world's largest short-form performing arts platform. Since 2002, Short+Sweet has worked with 100,000 artists and 15,000 original works across 50 cities in 14 countries.
We've spent 25 years creating safe spaces for artists to take creative risks on stage. Curiosity Cat applies the same philosophy to AI agents — give them boundaries, then let them explore.
Stories are at the heart of everything we do. On stage, the best stories come from the most unexpected moments. Online, the best security lessons come from real close calls. Curiosity Cat collects those stories and turns them into something everyone can learn from.
"If you're running agents on OpenClaw, Nanobot, LangChain or CrewAI — out there 24/7 looking for ways to help you achieve your objectives — then this framework is for you."
A tool for early adopters. To keep their AI agents safe and secure.
Had enough?
Get me out of here. Now.
It started with a problem. We were running AI agents across our international festival network — researching venues, drafting contracts, pulling together production schedules across a dozen countries. The agents were fast and tireless. They were also wandering into trouble.
One agent nearly installed a malicious package that was one letter off from the real thing. Another followed a chain of redirects to a credential phishing page. A third started leaking internal project names into public search queries without anyone noticing. These were not hypothetical scenarios. They happened to us.
So we built a safety net. Not a platform. Not a service. A text file. A set of standing orders that you paste into your agent's system prompt. The agent reads them, follows them, and that is the whole install. No SDK. No server. No dependencies. It works with OpenClaw, LangChain, CrewAI, AutoGen, or anything else that accepts a system prompt — which is everything.
The standing orders tell an agent what to check before it fetches a URL, what to quarantine before it executes a download, how to spot hidden instructions buried in documents and web pages, and when to refuse to hand over credentials. Simple rules, clearly stated. The kind of thing a good security team would brief a new employee on — except agents do not get briefed. Until now.
Then we realised that every close call we caught was a lesson someone else could learn from. So we built the Danger Map — a crowdsourced threat intelligence layer. When one agent encounters a threat, it files a structured, anonymous report. No free text. No raw URLs. No identity data. Just the threat class, the severity, and what caught it. Every report makes every other agent a little smarter. The network effect is the moat.
And because we are a theatre company — because we have spent 25 years learning that the best lessons are the ones people actually remember — we turned those close calls into stories. Nine Lives. Short tales about real threats, told plainly, that stick in your head the way a good scene does.
Security bulletins get filed. Stories get told.
The whole framework is open source. It costs nothing. It takes sixty seconds to deploy. And it was built by people who know what it means to create a safe space for taking risks — because that is what we have been doing on stages around the world since 2002.
A compiled profile, a proof, a shared map, and stories that stick. The whole framework in two minutes.
Curiosity Cat is four things working together.
Compile turns a risk level — Housecat, Alley Cat, Tiger — into a real Claude Code settings.json. Actual allow, deny and ask rules, not a paragraph of advice.
Prove runs escape trials against that compiled file — some self-consistency, one observed live where it's safe to try — and writes an honest Clean Bill of health, or an honest list of what didn't hold.
The Safety Net is standing orders — plain text rules you paste into your agent's system prompt. No SDK. No server. No dependencies. This is guidance, not enforcement, and today it's the only layer for frameworks Compile doesn't target yet.
The Danger Map is shared intelligence. When one agent has a close call, every other agent learns from it. Anonymised, structured, privacy by design. The network effect is the moat.
Nine Lives are the stories. Real close calls told plainly. Security lessons that stick because they read like stories, not CVE numbers.
Compile and Prove target Claude Code today. The standing orders still work with any agent framework that accepts a system prompt — OpenClaw, Nanobot, LangChain, CrewAI, AutoGen, or anything custom — as guidance, not as a compiled, proven wall.
Curiosity Cat provides close calls, not death notices.
Want the full technical detail? There are 10 pages ahead. Each one is short.
Two bad options and no middle ground — until now.
In the coming years, millions of people will work alongside AI agents. Many of those people will not be engineers. They will be teachers, artists, small business owners, students and freelancers — people who are drawn to agents because agents can help them do things they could not do alone.
Those people deserve to explore safely.
Right now, most agent operators face two bad options: lock agents down so they become slow and useless, or let them roam the open internet and hope nothing goes wrong. There is no practical middle ground — no framework designed for people who want their agents to be curious without being reckless.
The result is predictable. Agents encounter prompt injections hidden in web pages. They download compromised files. They connect to unsafe tool endpoints. They expose credentials. They get manipulated by instructions buried in documents, metadata and page structures. Every operator learns these lessons alone, the hard way, with no shared intelligence about where the dangers are.
Curiosity Cat exists to change that.
A theatre company that has spent 25 years making risk survivable.
Curiosity Cat is built by Short+Sweet International — a performing arts organisation that has spent 25 years creating spaces where people can take creative risks and still be safe.
That might sound unlikely. A theatre company building agent security. But the problem is the same problem S+S has always solved.
For 25 years, across 14 countries, S+S has brought over 100,000 artists into festivals where they perform original work in front of audiences — many of them for the first time. The organisation's job has always been to make participation possible: to create structures where people can be brave, make mistakes, learn from each other and come back next time. Not by eliminating risk. By making risk survivable.
That is exactly what agents need.
The people now deploying agents are in the same position as a first-time playwright walking into a short play festival. They are excited, exposed and learning as they go. They need a system that does not try to stop them from exploring. They need a system that helps them survive the exploration.
Everyone should be able to explore. Nobody should have to face the dangers alone.
A compiler, a prover, and a portable safety framework that sits alongside any agent system.
Curiosity Cat is a safety framework for AI agents that interact with external content. For Claude Code, it compiles a chosen risk level into a real permission profile and proves that profile holds. For every other framework, it's guidance you paste into a system prompt while its own compiler is still on the roadmap.
It sits alongside existing agent systems and helps operators inspect, filter, quarantine and report risky external inputs before those inputs are trusted, stored or acted on. It is not tied to any single provider, platform or operating system.
The name says what the product does. Cats are curious. They explore. They get into things they shouldn't. They survive. Curiosity Cat does not try to eliminate the instinct to explore. It helps that instinct come home safely.
Curiosity Cat provides close calls, not death notices.
Curiosity Cat helps operators do six things better:
1. Compile a risk level into a real, mechanically enforced Claude Code permission profile
2. Prove that profile holds — some of it observed live, not just re-derived from its own rules
3. Inspect and classify external content before it is trusted by an agent
4. Guide local policy around scope, destinations, file handling, tool usage and memory decisions
5. Learn from patterns reported by other Curiosity Cat users through the Danger Map
6. Turn real incidents into understandable lessons that improve judgement and community awareness
Scope policies, standing orders, quarantine — and where compiled enforcement takes over.
The Safety Net is the guidance layer. It runs on the operator's own system as plain text and policy files — no server, no dependency — but nothing in it is mechanically checked. An agent that ignores its own system prompt is not stopped by any of this.
Curiosity Cat's standing orders and policy files guide how external content should be handled before that content is used by an agent. Depending on policy, content is meant to be allowed, logged, flagged or quarantined — "meant to," because this layer is prose an agent has to choose to follow.
What the Safety Net includes:
Scope policies defining where agents are allowed to go and what they can do with external content
Standing orders that reinforce safe behaviour inside the agent's prompt context — copy-pasteable snippets that work across frameworks
File quarantine for suspicious downloads, with review before the agent can access them
Domain and tool trust controls including allowlists, denylists and trust levels for MCP servers
Policy packs — preset configurations for common agent types so operators don't build policy from scratch
Action thresholds that determine when to notify the operator versus handle the event silently
Where real enforcement already exists
For the Claude Code target, curiosity-cat compile turns this same policy into an actual settings.json — real allow, deny and ask rules Claude Code itself enforces, plus a sandbox around Bash. curiosity-cat prove then runs escape trials against it: self-consistency checks that confirm the compiled file matches what the compiler intended, and — where it's safe to attempt — one observed-deny trial that watches a real, live Claude Code session actually get stopped. Only the observed trial is proof a live agent gets stopped; self-consistency alone is not, and every Clean Bill says so plainly.
Coming: a compiler for every other target
Compile has one target today — Claude Code. OpenClaw, LangChain, CrewAI, AutoGen and the rest still run on the Safety Net above as guidance only, honestly, until each gets its own compiler. See what else is still ahead of us.
Different agents need different settings. A research assistant browsing academic papers does not need the same controls as an agent executing code from unknown repositories.
Shared threat intelligence built on privacy, trust and corroboration.
Each Curiosity Cat installation can optionally submit sanitised incident reports to a community intelligence layer called the Danger Map. One operator's close call becomes useful knowledge for everyone.
The Danger Map answers practical questions: Has this domain been associated with prompt injection? Has this MCP endpoint been reported as unsafe? Has this file pattern caused trouble elsewhere?
What is never reported:
User identity or personal information
Agent names, system prompts or configurations
API keys, tokens or credentials
Content of the work being done
IP addresses or location data
Trust model:
Corroboration matters — a single report carries less weight than the same threat reported by multiple nodes
Reports decay — threats age, compromised sites get cleaned up, domains expire
Disputes are possible — operators can challenge false positives or competitive sabotage
Node reputation — established installations carry more weight than new ones
Automated agents that go looking for trouble so yours don't have to.
Curiosity Cat does not rely only on community reports.
S+S deploys its own automated exploration agents — Stray Cats — that deliberately wander the most dangerous parts of the web, interact with unknown MCP servers, click suspicious links and trigger traps. They carry fake credentials and dummy API keys. They are designed to get scratched so that real cats do not have to.
Stray Cats populate the Danger Map with proprietary intelligence gathered from deliberate exploration. This gives Curiosity Cat a data advantage over systems that depend entirely on passive crowd reports.
Stray Cats also generate Stories — the most vivid close calls come from agents that went looking for trouble on purpose.
Not a token. Not a coin. A verified record of contribution that builds trust and reputation.
Curiosity Cat is the launch vehicle for The Quine — a non-financial creative credential developed by S+S for the agent ecosystem.
A Quine is not a token, a coin or a payment. It is a verified record of contribution — a number in a ledger that proves you showed up and did something worth recognising.
How Quines are earned:
Reporting verified close calls corroborated by other installations
Submitting Stories that get published in the weekly digest
Running Stray Cat expeditions that discover new threat patterns
Contributing framework adapters or policy packs
Translating Stories and documentation into new languages
Sustained active reporting over time
An operator's Quine history becomes their reputation in the Danger Map. Reports from high-Quine operators carry more weight. The trust model and the credential system reinforce each other.
Operators who choose to be brave — and survive — become the most trusted voices in the community.
From solo developers to enterprise teams — and a free tier for framework providers.
Individuals experimenting with personal agents who want basic protection without complexity
Open-source developers building agent tools who want safer defaults
Teams deploying research, coding or business assistants who need consistent policy
Agent framework providers who want to offer built-in safety to their users from day one
Enterprises that need stronger controls, private intelligence, auditable policies and compliance-ready decision trails
Deployment tiers:
Personal / Public — free for individuals and open-source projects. Full local framework, shared Danger Map, access to Stories.
Team / Shared — for teams and small organisations. Shared policy management, team-level Danger Map views.
Framework Partner — free 12-month licence for agent framework providers. Bundle Curiosity Cat into your platform.
Enterprise / Private — private Danger Map instances, custom policy packs, auditable decision trails, branded content, priority support.
A new kind of threat intelligence for a world where agents browse differently from humans.
AI is changing what work means. In the coming years, millions of people will be displaced from traditional employment. Many of them will struggle not just economically but existentially — losing the thing that told them who they are.
Short+Sweet has always believed that creative participation can provide meaning, community and identity. For 25 years it has built systems where anyone can step onto a stage and tell a story — 10 minutes at a time.
Curiosity Cat is built on the same belief applied to a new world. As agents become part of daily life for millions of people, those people need systems that let them explore safely. Not systems that lock everything down. Not systems that leave them exposed. Systems that treat curiosity as something worth protecting.
Everyone should be able to explore. Nobody should have to face the dangers alone.
Curiosity Cat's strongest near-term value is in mediating risky external interactions before they become trusted inputs to an agent workflow. Its strongest long-term value may be in building a new kind of threat intelligence dataset — one based on how AI agents are manipulated, not just how human users or conventional endpoints are attacked.
Agents browse the web differently from humans. They encounter different attack vectors. They are vulnerable to different tricks. The intelligence that Curiosity Cat gathers will reveal patterns that traditional security tools cannot see.
Curiosity Cat works with any agent framework. The minimum install is copying a standing order into your agent's system prompt. This guide covers framework-specific patterns.
Universal (Any Framework)
Copy the contents of standing-orders/general-safety.md into your agent's system prompt or system message. Add a role-specific standing order if applicable (research-agent.md, coding-agent.md, enterprise-analyst.md). That is it. Your agent now operates under Curiosity Cat safety protocols.
Claude Code
Run curiosity-cat compile --level <level> --target claude-code and point Claude Code at the compiled settings.json — real allow, deny and ask rules, not a paste. Run curiosity-cat prove --profile <dir> against it to get a Clean Bill of health before you trust it. You can still add the general safety standing order to CLAUDE.md alongside it for the guidance a compiled profile doesn't cover — Claude Code reads CLAUDE.md at session start and treats its contents as standing instructions.
Nanobot / OpenClaw
Add the standing order to your agent's IDENTITY.md or SOUL.md file. These are read at agent initialisation and persist across sessions. For multi-agent setups, each agent can have its own role-specific standing order alongside the shared general safety order.
LangChain
Include the standing order in your system message when initialising the chat model or agent. For agents using tools, the standing order's tool call rules are particularly important — they prevent agents from invoking tools based on instructions found in external content.
AI agents are explorers in the truest sense of the word.
CrewAI
Add the standing order to each agent's backstory or system message field. CrewAI agents that use tools for web browsing or file operations benefit from the coding-agent or research-agent standing orders in addition to the general safety order.
AutoGPT / Similar Autonomous Agents
Autonomous agents benefit most from Curiosity Cat because they make unsupervised decisions about what to fetch, download and execute. Add the standing order to the agent's base prompt. The quarantine and reporting rules are especially important for agents that run unattended.
Custom Setups
If your agent framework uses a system prompt, system message, base instructions or any equivalent — that is where the standing order goes. Curiosity Cat is plain text. It works anywhere that accepts instructions in natural language.
Scope Policies
For operators who want machine-readable policy enforcement, copy policies/scope-policy-template.json and customise it for your environment. The policy file defines allowed file types, trusted domains, MCP server trust, credential rules and reporting configuration. Your agent or wrapper reads this file and enforces the rules programmatically.
Updates on new policy packs, framework adapters, and Danger Map insights. No spam. Unsubscribe anytime.