Network verification guide

Don't Trust, Check

Audit GhostBro traffic yourself with a local proxy. The recommended default is mitmproxy because it is free, transparent, scriptable, and works across platforms.

Recommended default: mitmproxy

Capture the real requests, not a browser-shaped guess.

GhostBro's AI calls run outside the browser DevTools network tab. A local HTTPS proxy lets you inspect the destination, headers, request body, and response directly from your machine.

mitmproxy --listen-port 8080

# Prefer a browser interface?
mitmweb --listen-port 8080

Use mitmproxy First

This path keeps the audit reproducible: install the proxy, trust its local certificate, route GhostBro through it, then inspect only the relevant provider requests.

Install mitmproxy

Use the package manager you already trust. These commands are examples, not a requirement.

# macOS
brew install mitmproxy

# Python/pipx
pipx install mitmproxy

# Python/pip
python -m pip install --user mitmproxy

macOS video walkthrough Windows video walkthrough

Start the proxy

Use the terminal UI for a focused audit, or launch the web UI if you prefer clicking through requests.

# Terminal interface
mitmproxy --listen-port 8080

# Browser interface
mitmweb --listen-port 8080

Install the mitmproxy certificate

With the proxy running, open http://mitm.it on the same machine and install the certificate for your OS. This is what allows HTTPS request bodies to be inspected locally.

Route GhostBro through the proxy

Launch GhostBro with proxy environment variables so the app's network traffic passes through mitmproxy.

# macOS
HTTPS_PROXY=http://localhost:8080 \
HTTP_PROXY=http://localhost:8080 \
  /Applications/GhostBro.app/Contents/MacOS/GhostBro

# Windows PowerShell
$env:HTTPS_PROXY = "http://localhost:8080"
$env:HTTP_PROXY = "http://localhost:8080"
& "$env:LOCALAPPDATA\Programs\GhostBro\GhostBro.exe"

If your OS or app build already respects the system proxy, you can set the proxy there instead. The environment-variable launch is useful because it makes the audit session explicit and easy to repeat.

Inspect the Right Evidence

Trigger a GhostBro AI action, then narrow the capture to the AI provider you configured.

Filter for the provider domain

In mitmproxy, search for the provider domain you selected in GhostBro. Expected AI destinations include:

OpenAI

api.openai.com

Anthropic

api.anthropic.com

Google Gemini

generativelanguage.googleapis.com

OpenRouter

openrouter.ai

Local LLM

localhost / 127.0.0.1

Custom provider

Your configured base URL

Check the request body

The AI request should contain only the model, prompt text, and the screenshot or audio-derived payload needed for the action you triggered.

POST https://api.openai.com/v1/chat/completions
Authorization: Bearer sk-********************************
Content-Type: application/json

{
  "model": "gpt-4o",
  "messages": [{
    "role": "user",
    "content": [
      { "type": "text", "text": "Solve this coding problem..." },
      { "type": "image_url", "image_url": { "url": "data:image/png;base64,..." } }
    ]
  }]
}

Know What Should Appear

A clean capture is boring in the best way: provider calls for AI work, GhostBro calls for account status, and no surprise data exports.

Expected

Requests go only to your configured AI provider domain for AI work.
Your API key appears only in the provider Authorization header.
The body contains the prompt and the screenshot or transcription payload for the action you triggered.
GhostBro account requests go to ghostbro.app for authentication and subscription checks.

Red flags

Provider API keys sent to any non-provider domain.
Requests to unknown third-party hosts during an AI action.
File contents, credentials, browsing history, or unrelated local data in the payload.
Repeated background AI calls when you did not trigger an AI action.

What GhostBro Sends

The exact fields vary by provider, but the shape should stay narrow and understandable.

Field	What it contains
Screenshot image	PNG capture for screenshot analysis, usually sent as a base64 data URL.
Prompt text	The instruction GhostBro uses for the selected action, plus your configured language and context.
Model identifier	For example `gpt-4o`, `claude-3-5-sonnet-latest`, or your custom model name.
API key	Your provider key, included only in the provider request authorization header.

Your provider API key should never be sent to GhostBro servers. It should appear only on requests to the AI provider you selected.

Paid GUI alternatives

mitmproxy is the recommended starting point. If you want a paid graphical interface, these are common alternatives:

Proxyman
Charles Proxy
Fiddler Everywhere

Need Help?

Explore more documentation or reach out to our team if you're stuck.

Full Documentation Privacy & Security Contact Support