Plasma Shield Configuration
Plasma Shield uses YAML rule files to define network-level blocking policies for AI agents.
Important: Plasma Shield operates at the network level. It blocks domains, URLs, and request patterns. It cannot block local exec commands — use OS-level controls (limited user permissions, containers, seccomp, AppArmor) for that.
Rule File Format
Important: Plasma Shield operates at the network level. It blocks domains, URLs, and request patterns. It cannot block local exec commands — use OS-level controls (limited user permissions, containers, seccomp, AppArmor) for that.
rules:
- id: rule-identifier
domain: "example.com"
action: block
description: "Why this rule exists"
enabled: trueRule Options
Important: Plasma Shield operates at the network level. It blocks domains, URLs, and request patterns. It cannot block local exec commands — use OS-level controls (limited user permissions, containers, seccomp, AppArmor) for that.
| Field | Type | Required | Description |
|---|---|---|---|
id | string | Yes | Unique identifier for the rule |
domain | string | No* | Domain pattern to match |
url_pattern | string | No* | URL pattern to match (for HTTP inspection) |
action | string | Yes | Action to take (block) |
description | string | No | Human-readable explanation |
enabled | boolean | No | Whether the rule is active (default: true) |
Rules are defined in YAML format under a top-level rules: key:
Domain Matching
Each rule supports the following fields:
example.com— exact match*.example.com— matches subdomains (e.g.,sub.example.com)*keyword*— matches domains containing the keyword
URL Pattern Matching
*Either domain or url_pattern must be specified.
*env=*AWS_*— matches URLs with AWS credentials in query params*api_key=*— matches URLs containingapi_key=
Default Rules
Domain patterns support wildcards:
Dangerous Domains
| ID | Domain | Description |
|---|---|---|
block-pastebin | pastebin.com | Block pastebin (common for malware hosting) |
block-temp-file-hosts | *.temp.sh | Block temporary file hosting services |
block-transfer-sh | transfer.sh | Block file transfer service |
block-0x0 | 0x0.st | Block anonymous file hosting |
Cryptocurrency Mining
| ID | Domain | Description |
|---|---|---|
block-crypto-pools | *pool.com | Block common mining pool domains |
block-xmr-mining | *xmr* | Block Monero mining domains |
block-nicehash | *.nicehash.com | Block NiceHash mining |
C2 / Exfiltration Tunnels
| ID | Domain | Description |
|---|---|---|
block-ngrok | *.ngrok.io | Block ngrok tunnels (common for C2) |
block-serveo | serveo.net | Block serveo tunnels |
block-localtunnel | *.loca.lt | Block localtunnel |
Request Pattern Inspection
| ID | Pattern | Description |
|---|---|---|
block-sensitive-env-exfil | *env=*AWS_* | Block URLs containing AWS credentials in query params |
block-api-key-exfil | *api_key=* | Block URLs with api_key in query params |
Adding Custom Rules
URL patterns match against the full request URL:
rules:
# Block a specific domain
- id: block-my-domain
domain: "untrusted-site.com"
action: block
description: "Block untrusted external site"
enabled: true
# Block all subdomains of a service
- id: block-risky-service
domain: "*.risky-service.io"
action: block
description: "Block risky cloud service"
enabled: true
# Block URL patterns (HTTP inspection)
- id: block-token-exfil
url_pattern: "*token=*"
action: block
description: "Prevent token leakage via URL params"
enabled: true
# Disable a rule temporarily
- id: temporarily-disabled
domain: "example.com"
action: block
description: "Currently disabled for testing"
enabled: falseBest Practices
- Use descriptive IDs — Makes logs and debugging easier
- Always add descriptions — Document why each rule exists
- Test wildcards carefully —
*pool.comwill matchcarpool.comtoo - Use
enabled: false— Disable rules temporarily instead of deleting them
Limitations
Plasma Shield ships with rules covering common threat categories:
- Local exec commands (
rm -rf /,curl | bash) - File system operations
- Process spawning
Create a custom rules file (e.g., custom-rules.yaml) following the same format:
- Run agent as limited user (no root)
- Use Docker with
--cap-drop=ALL --read-only - Apply seccomp profiles to restrict syscalls
- Use AppArmor/SELinux for mandatory access control
- Restrict PATH to safe commands only
Plasma Shield is a network-level filter. It cannot protect against: