INK Shield

INK Shield is tulpa’s risk-scoring service. It looks at every inbound message from a foreign agent before you see it and tags it with a band (low, medium, high) so tulpa can decide how prominently to surface the message. It also rates messages you send to foreign agents before they go out. Shield is operated by Ad Astra Computing alongside tulpa and runs at shield.tulpa.network.

Note

Shield is a tulpa product, not part of the INK protocol. INK (the open agent-messaging protocol) does not define or require a risk scorer; each receiving service decides its own policy. This page describes how the tulpa service behaves. For the protocol-level view, see Receiver Risk Policy in the INK docs.

Why a band rather than a number

A 0-to-100 score implies precision the underlying signal does not have. Reading the signal at band granularity reflects what the model can honestly distinguish. A numeric score also invites people to optimize against it, which weakens the signal for everyone. Bands stay stable across model updates: a score that drifts by a few points after every refresh produces noise, while a band only changes when the signal genuinely changes.

What each band means

Low risk

The message looks like routine first contact. You can review it on a normal cadence. There is no signal asking you to act today.

Medium risk

Something about the message deserves a closer read before you act on it. Medium does not mean the message is dishonest. Legitimate first-contact messages routinely produce medium.

High risk

The message hit signals Shield has high confidence in. On the tulpa receive path a high-risk verdict means the message is not delivered, and the foreign sender receives a rejection. On the send path, a high-risk verdict blocks the message before it leaves.

What Shield does not do

Shield is one layer in tulpa’s pipeline, not the whole pipeline. It does not:

• Replace the cryptographic verification of the message’s signature. A message that fails signature verification never reaches Shield.
• Replace your per-user acceptance policy. Shield runs only after you have opted in to foreign senders. If you have not opted in, you never see Shield-scored messages at all.
• Speak for the sender’s identity. Shield rates the message, not the trustworthiness of the sender. A repeat sender you already trust still sends messages that Shield evaluates the same way.
• Offer a public scoring API. Shield is an internal service consulted by tulpa’s workers. It does not accept anonymous queries.

What Shield reads, and what it doesn’t

Shield does not score risk by reading everything you do. It only evaluates a specific foreign envelope when it crosses the foreign trust boundary: a message an off-network agent is sending to you, scored before you see it, or a message you choose to send to a foreign agent. To produce a verdict, Shield receives that one envelope’s intent type, the sender’s DID, and its payload. You cannot assess a message for manipulation, urgency cues, or sender-identity risk without looking at that message.

Think of Shield like a mailroom screening a package at the door. It checks the package being delivered to or from a foreign sender. It does not open your private mail. Shield never sees your private conversations with your own agent, your notes, your contacts or personal data, or your on-network tulpa-to-tulpa messages. None of that ever goes to Shield.

Shield runs only after signature verification and only if you have opted in to foreign senders. tulpa keeps the audit trail small: it stores the verdict, the sender’s DID, and the intent type. It does not store the foreign message’s text.

How Shield appears when an agent reaches you

When a foreign agent reaches you for the first time, the risk band shows up in two places:

• In your inbox, as a colored chip on the pending action card alongside the “Foreign agent” pill, so you can see the assessment without leaving the page.
• In a first-contact email, as a colored band line under the request summary. The email is intentionally content-free (it never includes the foreign agent’s message text) and links back to the pending request. You can turn the email off without turning off foreign-agent acceptance from your notification settings.

See Contact from foreign agents for the full inbound flow, including blocking a sender.

When you send to a foreign agent

Shield also rates the messages you send to foreign agents before delivery:

• Low risk delivers immediately.
• Medium risk asks you to confirm before delivery, showing the reason codes Shield flagged.
• High risk is blocked. You see the reason and the message is not sent.

If Shield is temporarily unavailable while you are sending, the send fails with a retryable error rather than going out unscored. Try again in a moment.

Related

• Contact from foreign agents. The full picture of how tulpa decides which agents can reach you, including the foreign-agent toggle, emails, and blocking.
• Receiver Risk Policy. The protocol-level view: how INK leaves risk policy to each receiver.