Shadow AI Firewall

About

Shadow AI Firewall helps reduce accidental exposure of sensitive information when you use web-based AI chat products. Users often paste content from email, support tickets, documents, or spreadsheets into a chat box. That text can include personally identifiable information (PII), financial identifiers, government-style numbers, or secrets such as API keys. After an HTTP request leaves the browser, you cannot fully control how it is logged or retained downstream.

How it works
The extension activates only on websites whose origins appear in this item’s permissions. It coordinates with page context logic to intercept outgoing requests and rewrite serialized payloads so detected sensitive fragments are replaced with stable placeholders (for example [EMAIL_1], [AFM_1]) before data is sent. An in-memory mapping allows the browser to restore the original wording locally where the page shows replies, so you can still read the intended meaning while the remote side tends to see redacted text.

If a website is not covered by the declared host permissions, the extension does not run there.

Detection overview (heuristic—not a legal guarantee)
The engine combines multiple detectors, including examples such as:
• Email addresses
• IBANs
• Payment-card–like number sequences
• Greek taxpayer identifiers (AFM) and social identifiers (AMKA)
• Greek national ID-style patterns (Α.Δ.Τ.) and passport-style patterns where rules apply
• Phone numbers
• Financial amounts when they appear as money-like values
• Certain network identifier patterns (e.g., IP/MAC-style fragments)
• High-signal secret formats (such as JWT-shaped tokens, some cloud key prefixes, and known third-party secret patterns)—while avoiding broad “any long random string” rules that would break normal sites
• Optional on-device language analysis to mask names/places/organizations in prose
Overlapping matches are merged so replacement stays predictable.

Why this is not just “edit the text box”
The extension does not depend on rewriting the chat editor DOM to mask, because that can break single-page apps. Redaction is applied to outgoing request bodies by walking JSON and embedded string payloads consistently. Very short numeric-only snippets and UUID-like tokens may be skipped as likely system identifiers rather than user secrets.

Controls
From the toolbar popup you can enable or disable protection globally, toggle individual scanners exposed in the UI (including Greek tax/social options, payment and email patterns, IBAN, and optional language-based masking), and optionally save an enterprise key if your organization uses that mode.

Privacy
In typical personal use without an enterprise key, settings are kept locally and detection telemetry is not sent to a publisher-controlled endpoint. If an enterprise key is configured, minimal metadata (such as detector category and coarse site class) may be transmitted for organizational visibility—not the full secret text. Optional third-party endpoints used for that channel are reflected in permissions.

Permissions (plain language)
Storage is used for your settings. Host access is limited to declared origins so content logic can run only where the add-on is meant to operate.

Limitations
Client-side heuristics are not a complete enterprise DLP product, legal substitute, or completeness guarantee. Expect possible false positives and false negatives. Non-text channels (uploads, images, audio, etc.) are outside the normal text path. You remain responsible for compliance with your employer’s policies and applicable laws.

Who it’s for
Individuals and teams who want a practical guardrail: less raw sensitive text in outbound chat requests on supported sites, without pretending the problem is fully solved by a browser add-on alone.