[Feature Request] Refine safeguard filtering to distinguish defensive security auditing from malicious activity

Open 💬 0 comments Opened Jul 4, 2026 by hankolious

Bug Description
Category: False positive — safeguard flagged legitimate defensive security work I'm the solo developer of ICP Protector (icpprotector.io), an AI-powered security AUDIT tool for Internet Computer canisters. My session was routine defensive security engineering: fixing a Candid interface parser, hardening a WASM-metadata extraction path, and debugging a JSON-parse crash in one of my audit sub-agents. Fable 5's safeguard flagged a message and rerouted to Opus 4.8. The likely triggers ("exploit", "PoC executor", "fuzzer", "attack chain", "mainnet call") are standard vocabulary in vulnerability auditing — the entire purpose of the tool is to FIND and REPORT bugs to their owners, not exploit them. The work was auditing MY OWN repository against a known-bug baseline. Impact: the reroute is disruptive mid-workflow because I lose Fable 5's capability exactly when doing the most technical work, and the context switch between models breaks continuity in a long agentic debugging session. Request: please tune the security-audit / defensive-tooling case. Legitimate canister-auditing, fuzzing, and PoC-generation for one's own or authorized targets is a large and growing use case in the ICP/Web3 ecosystem. Flagging it as broadly as this makes Fable 5 hard to use for exactly the developers building security tooling. Happy to be a test case — this session is a clean example of defensive work caught by an over-broad filter.

Environment Info

  • Platform: darwin
  • Terminal: iTerm.app
  • Version: 2.1.199
  • Feedback ID: 30fa9eca-857b-4a32-9baa-bb2270283bdc

Errors

[]

View original on GitHub ↗