Tirith intercepts terminal input to detect homograph URLs, ANSI injection, obfuscated payloads, credential exfiltration, and known-bad packages by checking against a signed threat intelligence database. It explicitly targets AI agents and their configurations as part of its threat model, protecting them from malicious skills and shell commands. The tool integrates into shells via an init command and blocks dangerous content before it can execute.