Cloudflare engineer posts 'veil' agent

1/ A Cloudflare engineer has posted an open-source OPSEC agent called `veil`, adding another example of security tooling being packaged as an “agent” rather than a conventional scanner. The project’s public README describes a local-first CLI/agent for identity leak scanning, breach monitoring, paste-site checks, OSINT, wallet clustering and deanonymization-risk analysis. (github.com) 2/ The core claim in the repo is privacy-first operation. `veil` says processing and storage stay on the user’s machine, outbound scans are routed through Tor by default, data is encrypted, and no cloud telemetry or API keys leave the machine. The README also says Tor must be running locally on port 9050 unless the user disables it with `--no-tor`. (github.com) 3/ Functionally, the tool bundles several workflows security teams usually stitch together by hand. The README lists breach-database monitoring, paste-site monitoring for leaked credentials and personal data, username enumeration across platforms, and metadata analysis including EXIF, DNS and HTTP headers. (github.com) 4/ The crypto side is what makes the project stand out from a standard breach-monitoring utility. `veil` says it can do wallet clustering using common-input-ownership heuristics, trace transaction graphs, and score deanonymization risk based on address reuse, exchange deposits, timing correlation and cluster size. (github.com) 5/ The repo also frames `veil` as an agent pipeline rather than a single binary. Its architecture diagram breaks the system into scanner, chain-analysis, threat-model and report-engine components, with a CLI/agent layer on top and an encrypted SQLCipher database underneath. (github.com) 6/ Rust is part of the pitch, but not the whole stack. The project’s README says users can optionally build “rust performance modules,” and specifically mentions “Rust-accelerated graph operations via NAPI-RS” for large address sets. That suggests a mixed Node/Rust design where Rust is used for the heavier graph-analysis path. (github.com) 7/ Another notable detail is the local-model piece. The README says threat analysis can run through Ollama or llama.cpp, with queries staying on the user’s machine, and that the tool can generate markdown, JSON and alert outputs as well as an OPSEC score from 0 to 100. (github.com) 8/ The “hosted on Pump.fun” part appears to refer to distribution or community visibility around the project, not to the codebase itself. Public search results show a GitHub repository under `veilOP/veil` and separate Pump pages for various “VEIL” tokens, but I could not independently verify from accessible source pages that Pump.fun is the canonical home of the software repository itself. That is an inference based on the available public materials, not a confirmed project statement. (github.com) 9/ What the project shows, concretely, is engineers turning incident-monitoring and personal-security workflows into composable agent systems. Cloudflare has separately been pushing agent infrastructure of its own, including “Project Think,” which it describes as primitives for long-running agents with durable execution, sub-agents and sandboxed code execution. `veil` is not a Cloudflare product announcement, but it lands in a broader environment where agent patterns are moving into operational software. (blog.cloudflare.com) 10/ The immediate next place to watch is the public `veilOP/veil` repository, where the README already exposes install steps, commands such as `scan`, `monitor`, `report` and `score`, and the optional Rust build path. If the author expands the project, the clearest signals will be new modules, documentation updates and release activity there. (github.com) What I could verify: the public GitHub README for `veil` and its stated features. What I could not fully verify from accessible sources: the exact identity details behind the X post and whether Pump.fun is officially the project’s primary hosting venue rather than an adjacent distribution/community layer.