Ephemeral Agent - Syslok Docs

Overview

The Ephemeral Agent is a zero-install, one-liner remote access agent. No software is installed permanently on the target machine. The agent runs entirely in memory and self-destructs after the session ends or the TTL expires.

The downloaded binary is signed with Ed25519 and verified before execution. If the signature check fails, the agent refuses to start and removes itself immediately.

How It Works

Operator generates a unique session code from the Syslok dashboard
Operator shares the one-liner command with the remote user
User runs the command in their terminal
A consent prompt is displayed — the user must explicitly approve the connection
The agent loads into memory and verifies the binary signature
An encrypted connection is established to the Syslok server
The session becomes active — screen, keyboard, and mouse are shared
When the TTL expires or the session is ended, the agent self-destructs
All temporary files are removed — no traces are left on the system

Running the Agent

Each session generates a unique URL. The URL expires once used or after the session TTL elapses.

macOS / Linux

Terminal

$ curl -sSL https://syslok.com/s/A7X-K9M | bash

Windows (PowerShell)

PowerShell

PS> irm syslok.com/s/A7X-K9M | iex

The URL in the command is unique per session and expires after use. Do not bookmark or reuse these URLs.

Consent Flow

Before any connection is established, the agent displays a consent prompt in the terminal. The user sees the following information:

The session code identifying this connection
The server URL the agent will connect to
The permissions being requested (screen view, keyboard, mouse)

The user must explicitly type y to proceed. This consent step cannot be bypassed, automated, or suppressed via command-line flags.

Session Lifecycle

1. Connecting The agent verifies the binary signature, displays the consent prompt, and initiates a TLS-encrypted connection to the server.

2. Active Screen, keyboard, and mouse are shared with the remote operator. The TTL countdown begins.

3. TTL Countdown The session has a finite lifetime. A countdown is visible in the terminal. The operator can end the session early, but cannot extend the TTL.

4. Disconnect The session ends gracefully. The connection is closed and the operator loses access immediately.

5. Cleanup The agent binary is deleted from disk. All temporary files are removed. No background services, auto-start entries, or other traces are left behind.

Supported Platforms

Platform	Architectures	Method
Linux	x86_64, aarch64, armv7	Native binary
macOS	Apple Silicon, Intel	Native binary
FreeBSD	x86_64	Native binary
Windows	x86_64	PowerShell script (native APIs, no binary download)

Security Notes

✓ Binary signature verification with Ed25519 — tampered binaries are rejected
✓ Memory-only execution — the agent runs without persisting to disk beyond the initial download
✓ No disk persistence after session ends — binary and all temp files are deleted
✓ No background services or daemons are installed
✓ No auto-start entries are created in the system
✓ TTL enforcement is local — the agent enforces its own expiry independently of the server, so TTL cannot be extended even if the server is compromised