Whichever surface you choose - paste, mail, Telegram, extension, API, or MCP - every request runs through the same pipeline. Here's what happens between "send" and "verdict".
Copy the suspicious email, SMS, or link to scampilot.de/check. Or forward the mail to your personal Scampilot address. Or send it to @scampilot_bot on Telegram. Any surface you pick - the answer is the same.
We check URLs against reputation databases, look at auth headers (SPF/DKIM/DMARC), run heuristics for known tricks, and pass the text through a language model. On low confidence, we escalate to a larger model.
Safe, Warn, or Likely scam. With plain-language reasoning, concrete evidence from your message, and two to five next-step actions. Action 1 is always the most important.
A real report from the eval set, annotated.
The mail impersonates your bank and pressures you to enter your password immediately - a textbook phishing attempt.
One of three: safe, warn, danger. Symbol + color + word - never colour alone. Confidence as a number 0–100.
One sentence, in the message's language. What the model saw, why this verdict. No jargon.
Two to five imperative steps. Number 1 is always the most important immediate step.
Which pattern raised the alarm - and exactly where in your message. Visible under "Why we think so".
Which model decided, how much compute it used. Transparency for you, cost control for us.
Each layer can sharpen or soften the verdict - none decides on its own.
We take raw text, emails (incl. attachments via OCR/PDF), Telegram posts, API bodies. Everything is reduced to plain UTF-8. Auth headers for mail (EMAIL_AUTH: spf=pass dkim=fail dmarc=fail) appended as an extra line.
Every URL checked against Google Safe Browsing and PhishTank (24 h cache). Regex heuristics for common tricks: urgency, credential prompts, lookalike domains, payment demands. Results pass into the prompt as EXTERNAL SIGNALS.
A language model writes the verdict - in the message's language, structured. If confidence drops below 60 we escalate to a larger model. The escalation wins.
If the AI provider is down we switch to pure heuristics - you still get an answer, flagged as heuristic-fallback.
Same structured result to every surface. Paste → card in the browser. Mail → reply email. Telegram → chat message. API/MCP → JSON. Every paste result also gets a signed link, valid for 7 days.
Text box at /check. Rate-limited by hashed IP, 3 checks per day. Result as a card - and as a signed link valid for 7 days.
Every account gets a primary alias user.x7q3@in.scampilot.de plus any number of burners. Forward suspicious mail there - report comes back. Optionally we reply with the report straight to the sender (allowlisted addresses only).
Help train Scampilot: forward suspicious messages to training@in.scampilot.de. Whatever lands there feeds our detection, anonymised.
Forward or paste into the chat with @scampilot_bot. /link <code> binds the chat to your Scampilot account.
Chrome and Firefox, MV3. Right-click selected text or a link → "Check with Scampilot". Result in the popup, no navigation. Coming soon - we're working on it.
JSON in, JSON out. Bearer token, per-user-bucket rate limit, OpenAPI spec at /docs/api.
For AI agents like Claude or Cursor. Tools scan_text, scan_url, scan_email. HTTP or stdio.
