You give an AI shell access. Here’s exactly what it can and can’t do.

There are two modes, and the difference is the whole point. In local mode (Ollama), inference runs on your own machine or network — your SSH session content never leaves your perimeter. In cloud mode, the prompt context needed for the task is sent to the model provider you chose, using your own API key.

In both modes, Agentic SSH is a desktop application. We (Elu Technology) operate no inference backend and no proxy — your traffic goes from your machine to the model you picked, and to the hosts you target.

Writes and destructive operations are gated by default (Confirm / Confirm-on-write). A heuristic denylist and a read-only classifier catch the obvious dangerous patterns, and you see the exact command before it runs.

We’re honest about the limit: heuristics stop fumbles and the obvious footguns; they cannot guarantee they catch every adversarial or obfuscated input. That’s precisely why the default posture is “confirm + audit,” not “trust the model.” For production hosts, keep writes gated.

Every command, its output, and the agent’s decisions are appended to a structured JSONL transcript. It’s exportable and diff-friendly, so an action can be reconstructed after the fact and handed to an auditor or dropped into your SIEM.

Licenses are activated with offline, ed25519-signed keys — no phone-home to our servers is required. That keeps activation viable on air-gapped and restricted networks, and is consistent with the local-first design.