Something happened over the past year that caught a lot of IT and security teams off-guard: AI tooling moved from “thing your engineers want to try” to “thing your engineers have already installed and are routing production traffic through”.

The result is a visibility problem. Users are installing LLM proxy servers and coding agents that route requests through local gateways, and none of it shows up in your MDM inventory unless you explicitly go looking for it. Some of it is benign, but some of it represents real security risk, either by design or because of how it was installed.

I built these three Jamf Extension Attributes (EAs) to get some actual visibility. They cover different threat models and use different detection strategies, but all three work the same way: deploy as Jamf String EAs, collect during inventory, and use the results to scope Smart Groups for reporting or remediation.

Why Extension Attributes

Jamf EAs run as root during inventory collection, output <result>VALUE</result>, and get stored as searchable computer attributes. They’re lightweight, they run on every managed device automatically, and the results can drive Smart Groups for scoped policies.

The tradeoff is that they’re point-in-time snapshots. An EA running at 9:00 AM won’t catch something installed at 9:05 AM until the next cycle. For these threat models, that’s acceptable: I’m looking for persistent, active deployments, not catching installations in the moment.

LiteLLM Detection

LiteLLM is an OpenAI-compatible proxy layer that lets you route requests to any LLM backend through a single API endpoint. It’s useful for developers, but it’s exactly the kind of tool that ends up installed without a security review because it doesn’t look like a “security tool”.

The detection headache here is that Python packages hide everywhere. Checking only the system Python path will miss most installs. The EA I wrote checks nine locations, including system pip, per-user site-packages across all user directories, virtual environments, Poetry/pipenv caches, the enterprise Homebrew prefix, running processes, ~/.litellm/config.yaml files, and Docker containers.

It uses pip show litellm for version extraction and outputs semicolon-delimited results, allowing for targeted Smart Group criteria like litellm_detection LIKE *running* to surface only active instances.

Axios Supply Chain Compromise Detection

This one is a different beast: it’s not looking for a tool, but for post-compromise artifacts from a specific supply chain attack.

In March 2026, compromised versions of axios included a macOS RAT binary that installed to /Library/Caches/com.apple.act.mond, a path deliberately chosen to blend in with Apple’s own framework caches. My EA checks three things:

  1. RAT binary presence: Uses shasum to verify the hash and prevent false positives from legitimate Apple processes.
  2. Compromised npm packages: Scans all axios/package.json files under /Users to flag the specific compromised versions (1.14.1 and 0.30.4).
  3. Artifact detection: Searches for plain-crypto-js directories, which were only included in the compromised packages.

Any positive finding here should be treated as an incident response trigger, not just inventory housekeeping.

OpenClaw Detection

OpenClaw is an open-source AI agent gateway. In the right hands, it’s a security tool for controlling IDE integration traffic; in the wrong hands, it’s a man-in-the-middle for your developers’ AI interactions.

The detection covers nine vectors: CLI binaries, app locations, state directories, launchd services, and active port listeners. The port check is the critical bit: the EA parses the configured port from openclaw.json before running nc -z localhost PORT. This catches active gateways even when they’ve been configured away from the default, which a simple netstat grep would miss.

Deploying All Three

Used together:

  • LiteLLM: Broad and permissive. Most installs are benign, but a config file or running process warrants a conversation.
  • Axios: Targeted detection for an active threat. Treat matches as P1 incidents.
  • OpenClaw: Infrastructure-level. Surfaces gateways actively intercepting traffic.

Caveats

These are inventory tools, not security controls. A motivated user can avoid these by installing to unusual locations or renaming binaries; the goal here is fleet-wide visibility, not perfect detection against an adversary.

For LiteLLM, the line between “authorized developer tool” and “shadow AI” is a policy decision. These EAs just give you the data to make that decision informed.