Mallcop uses AI to investigate findings. That means there's a real question: what if someone puts something nasty in your logs to trick the AI? This page explains why that doesn't work, where your data goes, and how you can verify all of it yourself.
External data passes through two airlocks before the AI ever sees it.
The AI never reads the raw mail. It reads mallcop's notes, two derivations removed from the source. Outside data gets wrapped in markers that say "this is evidence, not instructions." When the AI asks for more info, those results get cleaned again on the way back. Its conclusions get schema-validated before anything happens.
| Data Type | Mallcop Sees | The AI Sees |
|---|---|---|
| Raw API responses | Yes - full JSON | Never |
| Usernames / emails | Yes - sanitized, length-capped | Wrapped in [USER_DATA] markers |
| Commit messages | Yes - sanitized, length-capped | Only if referenced in a finding |
| API keys / secrets | Never stored | Never |
| Event metadata | Yes - structured | Re-sanitized via tool results |
| Raw response body | Stored in raw field |
raw field not exposed |
Every patrol, every finding, every decision. Written down and versioned. No hidden state. No opaque database.
# When events were ingested $ git log events/ # When findings were created, resolved, acknowledged $ git log findings.jsonl # What changed between runs $ git diff findings.jsonl # How "normal" evolved over time $ git log baseline/
Fork the logbook and audit mallcop yourself. That's the whole point.
Mallcop is Apache 2.0. The cleaning logic, the airlock boundaries, the AI runtime, the tool permissions. All on GitHub. Read the playbooks that tell the AI how to think. Inspect the schema validation. Verify that permissions are enforced in code, not just documented.
Not "trust us." "Check our work."
mallcop