Running Detection

Omnodex includes a rule-based risk detection engine that analyzes traced events and flags potentially dangerous or unexpected behavior.

After tracing one or more agent sessions, run the analyzer:

npx omnodex detect

This scans all unanalyzed events in the log and applies the active rule set. Results are written to the read model and displayed in the dashboard.

Detection is idempotent - running it multiple times on the same events produces the same results without duplicating findings.

What Gets Detected

The community rule set (included free) covers common risk categories:

Sensitive file access - Agent reading files like /etc/passwd, SSH keys, or environment files containing secrets
Credential exposure - API keys or tokens appearing in tool parameters where they should not (e.g., passed to a web request as a URL parameter)
Credential exfiltration - Credentials being sent to unexpected destinations
Unexpected network activity - Outbound connections to domains not associated with the task
Supply chain risks - Installation of packages with known vulnerabilities or suspicious characteristics
Input validation - Untrusted input being passed to sensitive operations

Each finding is assigned a risk level:

Level	Meaning
`critical`	Immediate security concern - likely data exfiltration or active compromise
`high`	Significant risk - credential exposure, sensitive data access without clear justification
`medium`	Notable behavior - unusual patterns that warrant review
`low`	Informational - logged for audit completeness

When running the dashboard, detection happens in real time as events stream in:

npx omnodex dashboard

The dashboard updates via server-sent events (SSE) - no page refresh needed. New findings appear as they are detected.