AI-Detector

This repository contains MDM-deployable scripts for detecting "Shadow AI" (unauthorized or unmanaged AI software, models, and agents) within your organization.

• Installed LLM Apps: Scans common application directories and PATH for local LLM runners (Ollama, LM Studio, etc.), frontier AI desktop clients (Claude, ChatGPT), and AI-native IDEs (Cursor, Windsurf).
• Running AI Agents: Uses heuristic-based process scanning for active AI agents (Aider, Goose, Cline, etc.) and LLM servers.
• MCP Server Fingerprinting: Scans local ports and probes for Model Context Protocol (MCP) server endpoints via JSON-RPC initialization and SSE (Server-Sent Events) detection.
• IDE Extensions: Scans VS Code, Cursor, and Windsurf extension directories for AI-related plugins (GitHub Copilot, Continue.dev, Sourcegraph Cody, Amazon Q, Gemini Code Assist, etc.).
• Filesystem Artifacts: Detects local LLM model weights (GGUF, safetensors), configuration files, and AI tool state directories.
• Shell History: Probes shell history (.zsh_history, PowerShell history) for recent usage of AI-related CLI commands.
• Network Scanning: Identifies active TCP/UDP connections to known AI service domains (Anthropic, OpenAI, Google Gemini, OpenRouter, etc.).
• Docker Detection: Identifies AI-related Docker containers and images.

The detection logic is synthesized from several key research projects:

• AgentSonar: Heuristics for process-to-domain classification and known agent tracking.
• MCP-Scanner: MCP protocol fingerprinting and endpoint probing.
• openclaw-detect: MDM-friendly structure and exit-code contracts for automated compliance monitoring.

A bash script designed for macOS and Linux environments.

• Exit Codes:
• 0: Clean (No Shadow AI findings).
• 1: Findings Detected (Non-compliant).
• 2: Script Error.
• **Deploym