ShopGuard AI is a consumer-focused cybersecurity platform that analyzes online storefronts to assess whether they are legitimate retail outlets or potential shopping scams. The application leverages technical heuristics, web content scraping, pricing anomalies, and Anthropic's Claude 3 Models to generate a transparent 0–10 risk score with action recommendations.
- Parallel Telemetry Collection: Evaluates domain age (WHOIS), SSL certificate strength, policy presence (crawling), product prices, and safety blacklist databases concurrently with an asynchronous
asynciostructure. - SSRF & Security Safeguards: Prevents Server-Side Request Forgeries by automatically resolving target domains and blocking internal/loopback IP address ranges (e.g.
127.0.0.1,192.168.x.x). Implements token-based rate limiting per user IP. - AI Orchestration (Triage & Escalation):
- Claude 3 Haiku analyzes structured signals for immediate triage classification (
clearly_safeorclearly_risky). - If ambiguous, signals escalate to Claude 3.5 Sonnet for deep reasoning, generating detailed plain-English justifications and purchase recommendations.
- Claude 3 Haiku analyzes structured signals for immediate triage classification (
- Offline Mock Fallback: In environments without internet or configured API keys, the systems run simulated scans using a built-in telemetry registry for demo URLs (
amazon.com,nike.com,suspicious-deals.shop), allowing testing on standalone sandboxes. - Interactive Weights Adjuster: Users can modify the risk engine's weights for domain age, SSL security, content templates, discounts, payment options, and databases on-the-fly directly inside the dashboard, causing the score to recalculate instantly.
ShopGuard/
├── backend/
│ ├── app/
│ │ ├── api/
│ │ ├── services/
│ │ │ ├── __init__.py
│ │ │ ├── ai_triage.py # Claude Haiku & Sonnet orchestration
│ │ │ ├── risk_engine.py # Weighted score calculations
│ │ │ ├── safe_browsing.py # Google Safe Browsing reputation check
│ │ │ ├── scraper.py # Playwright crawler (detects text, price anomalies)
│ │ │ ├── ssl_checker.py # Certificate validation
│ │ │ └── whois_service.py # Registration age & typosquatting detection
│ │ ├── __init__.py
│ │ ├── config.py # Environment variable configurations
│ │ ├── database.py # Redis client & thread-safe local cache fallback
│ │ └── main.py # FastAPI endpoints, SSRF checks, CORS, rate limits
│ ├── Dockerfile
│ └── requirements.txt
├── frontend/
│ ├── app/
│ │ ├── globals.css # Tailwind directives + dark cybersecurity theme
│ │ ├── layout.tsx # Page layout & SEO tags
│ │ └── page.tsx # Main dashboard UI & Interactive Simulator
│ ├── Dockerfile
│ ├── next.config.js
│ ├── next-env.d.ts
│ ├── package.json
│ ├── postcss.config.js
│ ├── tailwind.config.ts
│ └── tsconfig.json
├── .env.example # Env template
├── .env # Local config loaded at runtime
├── docker-compose.yml # Service orchestration (frontend, backend, redis)
└── README.md
The easiest way to start the entire system (Frontend on port 3000, Backend on port 8000, and Redis cache) is via Docker Compose:
-
Clone & Enter directory:
cd ShopGuard -
Configure keys: Copy
.env.exampleto.envand fill in your keys (the application will run with local mock data if keys are left blank):cp .env.example .env
-
Start container stack:
docker-compose up --build
-
Access the application:
- Frontend:
http://localhost:3000 - Backend API Docs:
http://localhost:8000/docs
- Frontend:
- Python 3.10+
- Node.js 18+ & NPM 9+
- Redis (optional, local cache fallback will be used if unavailable)
cd backend
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
playwright install chromium
# Copy config and start server
cp ../.env .env
uvicorn app.main:app --host 0.0.0.0 --port 8000 --reloadcd frontend
npm install --legacy-peer-deps
npm run devOpen http://localhost:3000 in your web browser.
You can verify the dashboard and risk classification using these preset example urls:
| Domain | Expected Risk Score | Risk Level | Notable Indicators |
|---|---|---|---|
amazon.com |
0.4 |
Low | Age > 28 years, Valid SSL, Stripe/Card processing |
nike.com |
0.6 |
Low | Established domain, verified certificate, secure gateways |
suspicious-deals.shop |
8.2 |
High | 12 days old domain, 84% discount average, wire transfer only |
amaz0n-sale.shop |
9.5 |
High | Typosquatting mimic, missing SSL, WhatsApp checks |
- SSRF Defenses: The backend resolves the hostname of the target domain immediately. If it maps to
127.0.0.1,localhost, link-local (169.254.x.x), or private subnets (10.x.x.x,172.16.x.x,192.168.x.x), the request is rejected with a400 Bad Requestbefore sending any HTTP calls. - Fail-Safe scraping: Headless crawling is ran inside a
try/exceptsandbox timeout. If Playwright is blocked, lacks resources, or times out, the service falls back to a clean socket extraction with standard libraries, reducing the final report confidence instead of crashing.