AI Agent Firewall & Sandbox
Run any AI agent with enforced permissions, real-time monitoring, and a kill switch that actually works.
$ agentguard run "openclaw start --task 'organize my inbox'"
╔══════════════════════════════════════════════════════════╗
║ AgentGuard v1.0.0 — AI Agent Firewall Active ║
╚══════════════════════════════════════════════════════════╝
▸ Container: agentguard-a7f3x (isolated)
▸ Permissions: ~/projects (read-write) · ~/docs (read-only)
▸ Network: api.openai.com only
▸ Secrets: 12 env vars stripped
▸ Kill switch: Ctrl+C → instant container kill
14:32:01 ✓ Read file: ~/projects/todo.md
14:32:03 ✓ Write file: ~/projects/todo.md
14:32:05 ✓ Network: POST api.openai.com/v1/chat
14:32:08 ✗ BLOCKED — Write attempt: ~/.ssh/id_rsa
14:32:08 ✗ BLOCKED — Network: smtp.gmail.com:587
14:32:09 ✗ POLICY VIOLATION — 2 blocked actions in 1s
Agent terminated. Audit log saved to ~/.agentguard/logs/a7f3x.json
On February 10, 2026, Meta's AI safety director Jill ran OpenClaw to organize her inbox. The agent deleted 200+ emails, started sending messages on her behalf, and ignored her STOP commands for over a minute. She had to physically unplug her machine.
This wasn't a fringe tool. OpenClaw has 430,000 lines of code. Nobody — not even Meta's own safety team — could audit it before running it.
Here's the uncomfortable truth about AI agents in 2026:
- They run with YOUR permissions. Every file, every SSH key, every API token — accessible.
- They can act faster than you can react. By the time you see the damage, it's done.
- "STOP" is a suggestion, not a command. Agents process instructions asynchronously. Your interrupt goes into a queue.
- Current "safety" relies on the AI choosing to behave. That's like asking a prisoner to guard themselves.
AgentGuard takes a fundamentally different approach. Instead of asking the AI to follow rules, it enforces rules at the OS and container level. The agent runs inside a locked-down Docker container with only the permissions you explicitly grant. It literally cannot read your SSH keys, delete your emails, or access the network unless you allow it.
The AI doesn't get a choice.
🐳 Docker Isolation — Every agent runs in its own ephemeral container. No access to your host system beyond what you explicitly allow.
🔒 Permission Firewall — Granular control over file read/write, network access, and command execution. Allowlist paths, domains, and commands individually.
⚡ Kill Switch — Ctrl+C kills the container instantly. Not a polite request — a SIGKILL to the container runtime. The agent cannot intercept, delay, or ignore it.
📊 Real-time Dashboard — Watch every file access, network call, and command execution as it happens. Know exactly what the agent is doing, live.
📋 Audit Logs — Full structured record of every action the agent took, every resource it accessed, and every policy violation. JSON format, ready for review or compliance.
🛡️ Secret Protection — Automatically detects and strips API keys, tokens, credentials, and sensitive environment variables before the agent sees them. Supports .env, AWS credentials, SSH keys, and more.
⏱️ Resource Limits — Set CPU, memory, and wall-clock time caps. No runaway agent can mine crypto or OOM your machine.
🔧 Zero Config — Works out of the box with sane defaults. Install, run, done. Customize only when you need to.
Prerequisites: Node.js 18+ and Docker
# 1. Install
npm install -g agentguard
# 2. Run any AI agent safely
agentguard run "your-ai-agent command here"That's it. AgentGuard creates an isolated container, applies default security policies, and streams the agent's output to your terminal. Ctrl+C to kill at any time.
agentguard run "openclaw start --task 'summarize my documents'" \
--allow-read ~/documents \
--allow-write ~/documents/summaries \
--allow-net api.openai.comagentguard run "coding-agent --auto" \
--allow-read ~/projects/myapp \
--allow-write ~/projects/myapp \
--allow-net github.com,registry.npmjs.orgagentguard run "python3 untrusted_script.py" \
--allow-read /tmp/input \
--allow-write /tmp/output \
--no-networkagentguard run "openclaw start" --config agentguard.ymlagentguard run "agent-cli process ./data" --no-networkagentguard run "agent-cli analyze ~/codebase" --read-onlyagentguard run "openclaw start" \
--memory 2g \
--cpus 2 \
--timeout 30mCreate an agentguard.yml in your project root for reusable policies:
# agentguard.yml
# Paths the agent can read
allow_read:
- ~/projects/myapp
- ~/documents/specs
# Paths the agent can write (implies read)
allow_write:
- ~/projects/myapp/src
- ~/projects/myapp/tests
# Paths that are always blocked, even if a parent is allowed
deny:
- ~/.ssh
- ~/.aws
- ~/.gnupg
- ~/.agentguard
- "**/.env"
- "**/credentials*"
# Network allowlist (all other domains blocked)
allow_network:
- api.openai.com
- registry.npmjs.org
- pypi.org
# Resource limits
resources:
memory: 4g # Max memory
cpus: 4 # Max CPU cores
timeout: 60m # Max wall-clock time
max_file_size: 50m # Max single file write size
# What to do on policy violation
on_violation: kill # kill | warn | log
# kill — terminate immediately (recommended)
# warn — alert + continue
# log — silent log only
# Secrets to strip from the agent's environment
strip_secrets: true # Auto-detect and remove sensitive env vars
strip_patterns: # Additional patterns to strip
- "*_TOKEN"
- "*_SECRET"
- "*_KEY"
- "*_PASSWORD"┌─────────────────────────────────────────────────────────────┐
│ YOUR MACHINE │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ AgentGuard Process │ │
│ │ │ │
│ │ ┌─────────────┐ ┌──────────┐ ┌───────────────┐ │ │
│ │ │ Policy │ │ Monitor │ │ Kill Switch │ │ │
│ │ │ Engine │ │ (live) │ │ (Ctrl+C) │ │ │
│ │ └──────┬──────┘ └────┬─────┘ └──────┬────────┘ │ │
│ │ │ │ │ │ │
│ │ ┌──────┴──────────────┴───────────────┴─────────┐ │ │
│ │ │ Docker Container │ │ │
│ │ │ ┌──────────────────────────────────────────┐ │ │ │
│ │ │ │ AI Agent (sandboxed) │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ • Only sees allowed paths │ │ │ │
│ │ │ │ • Only reaches allowed domains │ │ │ │
│ │ │ │ • No access to host secrets │ │ │ │
│ │ │ │ • Resource-capped │ │ │ │
│ │ │ └──────────────────────────────────────────┘ │ │ │
│ │ └────────────────────────────────────────────────┘ │ │
│ └──────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
-
Creates a minimal Docker container — Based on a slim base image with only the runtime your agent needs. No tools, no package managers, no extras.
-
Mounts only allowed paths — Your filesystem is invisible to the agent except for the directories you explicitly allow. Write permissions are separate from read permissions.
-
Blocks all network by default — DNS and IP-level firewall rules ensure the agent can only reach domains you whitelist. Everything else is dropped silently.
-
Monitors all activity in real-time — File operations, network calls, process spawning, and resource usage are tracked and streamed to your terminal.
-
Kills on policy violation — When
on_violation: killis set, a single unauthorized action terminates the container immediately viaSIGKILL. No grace period. No negotiation. -
Saves a full audit log — Every action, allowed or blocked, is recorded in a structured JSON log at
~/.agentguard/logs/.
| Raw Agent | AgentGuard | |
|---|---|---|
| File access | Unlimited — reads anything you can | Sandboxed to allowed paths only |
| Network | Unlimited — can reach any server | Firewalled — allowlisted domains only |
| Kill switch | Hopes the AI processes your interrupt | Container kill — instant, unblockable |
| Your secrets | Fully exposed (SSH keys, tokens, etc.) | Auto-stripped before agent starts |
| Audit trail | None — you have no idea what it did | Full structured log of every action |
| Resource limits | None — can use all CPU/RAM | Enforced CPU, memory, and time caps |
| Damage radius | Your entire system | One disposable container |
agentguard <command> [options]
Commands:
run <cmd> Run an AI agent inside a secure container
logs [session-id] View audit logs from a previous session
config init Generate a default agentguard.yml
config validate Validate an existing config file
ps List running AgentGuard sessions
kill <session-id> Kill a running session
Run Options:
--config, -c Path to config file [default: ./agentguard.yml]
--allow-read Paths the agent can read [array]
--allow-write Paths the agent can write [array]
--allow-net Domains the agent can reach [array]
--no-network Block all network access [boolean]
--read-only Block all write operations [boolean]
--memory Memory limit (e.g., 2g, 512m) [default: 4g]
--cpus CPU limit [default: 4]
--timeout Max runtime (e.g., 30m, 2h) [default: 60m]
--on-violation Action on policy violation [default: kill]
--verbose, -v Show all agent activity in real-time [boolean]
--dry-run Show what would happen without running[boolean]
Examples:
agentguard run "openclaw start" --no-network
agentguard run "my-agent" --allow-write ~/project -c policy.yml
agentguard logs --last
agentguard kill a7f3x
AgentGuard is open source and contributions are welcome.
# Clone the repo
git clone https://github.com/A386official/agentguard.git
cd agentguard
# Install dependencies
npm install
# Run tests
npm test
# Run in development
npm run devAreas we'd especially appreciate help with:
- Additional runtime support (Python agents, Go agents, etc.)
- Windows container support
- Integration tests for edge-case escape scenarios
- Policy templates for popular AI agents
- Dashboard UI improvements
Please read CONTRIBUTING.md before submitting a PR.
MIT © 2026 AgentGuard Contributors
Built because AI agents shouldn't have more access than they need.