AI Skill Hub 强烈推荐:Agent Shell安全执行层 是一款优质的AI工具。AI 综合评分 8.2 分,在同类工具中表现稳健。如果你正在寻找可靠的AI工具解决方案,这是一个值得深入了解的选择。
为AI智能体提供执行层安全保护的开源工具。通过策略执行的Shell环境,实现对Agent操作的审计和访问控制。适合构建企业级AI工作流系统、需要安全隔离的AI应用开发者。
Agent Shell安全执行层 是一款基于 Go 开发的开源工具,专注于 AI安全、智能体、工作流 等核心功能。作为 GitHub 开源项目,它拥有活跃的社区支持和持续的版本迭代,代码完全透明可审计,支持本地部署以保护数据隐私。无论是个人使用还是集成到企业工作流,都能提供稳定可靠的解决方案。
为AI智能体提供执行层安全保护的开源工具。通过策略执行的Shell环境,实现对Agent操作的审计和访问控制。适合构建企业级AI工作流系统、需要安全隔离的AI应用开发者。
Agent Shell安全执行层 是一款基于 Go 开发的开源工具,专注于 AI安全、智能体、工作流 等核心功能。作为 GitHub 开源项目,它拥有活跃的社区支持和持续的版本迭代,代码完全透明可审计,支持本地部署以保护数据隐私。无论是个人使用还是集成到企业工作流,都能提供稳定可靠的解决方案。
# 方式一:go install(推荐) go install github.com/canyonroad/agentsh@latest # 方式二:从源码编译 git clone https://github.com/canyonroad/agentsh cd agentsh go build -o agentsh . # 方式三:下载预编译二进制 # 访问 Releases 页面下载对应平台二进制文件 # https://github.com/canyonroad/agentsh/releases
# 查看帮助 agentsh --help # 基本运行 agentsh [options] <input> # 详细使用说明请查阅文档 # https://github.com/canyonroad/agentsh
# agentsh 配置说明 # 查看配置选项 agentsh --config-example > config.yml # 常见配置项 # output_dir: ./output # log_level: info # workers: 4 # 环境变量(覆盖配置文件) export AGENTSH_CONFIG="/path/to/config.yml"
macOS note: Native macOS enforcement via ESF (Endpoint Security Framework) + NE (Network Extension) is in Alpha. It works end-to-end — file, process, and network events flow through the system extension to the Go policy engine — but expect rough edges and breaking changes between releases. For production use today, we recommend Linux. Windows note: We are working to get the minifilter drivers signed. Until then, only Windows WSL2 mode is fully supported for production use.
Secure, policy-enforced execution gateway for AI agents.
agentsh sits under your agent/tooling—intercepting file, network, process, and signal activity (including subprocess trees), enforcing the policy you define, and emitting structured audit events.
Platform note: Linux provides full enforcement (100% security score). macOS ESF+NE (90% score) is in Alpha — functional but not production-ready. Windows WSL2 provides full Linux-equivalent enforcement (100% score); native Windows via minifilter driver + AppContainer (85% score) is pending driver signing. See the Platform Comparison Matrix for details.
---
make build-macos-enterprise ```
See macOS Build Guide for detailed macOS build instructions.
---
macOS (Homebrew)
brew tap canyonroad/tap
brew install --cask agentsh
This installs the AgentSH app bundle with the ESF+NE system extension. After installation you'll be prompted to approve the system extension in System Settings > General > Login Items & Extensions.
Linux (from a GitHub Release)
Download the .deb, .rpm, or .apk for your platform from the releases page.
```bash
See Dockerfile.example for a minimal Debian-based image.
Inside the image, install a release package (or copy your build), then activate the shim:
agentsh shim install-shell \
--root / \
--shim /usr/bin/agentsh-shell-shim \
--bash \
--i-understand-this-modifies-the-host
Point the shim at your server (sidecar or host):
ENV AGENTSH_SERVER=http://127.0.0.1:18080
Now any /bin/sh -c ... or /bin/bash -lc ... in the container routes through agentsh.
sudo dpkg -i agentsh_<VERSION>_linux_amd64.deb
**From source (Linux)**
bash make build sudo install -m 0755 bin/agentsh bin/agentsh-shell-shim /usr/local/bin
**From source (macOS)**
bash
version: 1
name: default
file_rules:
- name: allow-workspace
paths: ["/workspace", "/workspace/**"]
operations: [read, open, stat, list, write, create, mkdir, chmod, rename]
decision: allow
- name: approve-workspace-delete
paths: ["/workspace", "/workspace/**"]
operations: [delete, rmdir]
decision: approve
message: "Delete {{.Path}}?"
timeout: 5m
- name: deny-ssh-keys
paths: ["/home/**/.ssh/**", "/root/.ssh/**"]
operations: ["*"]
decision: deny
network_rules:
- name: allow-api
domains: ["api.example.com"]
ports: [443]
decision: allow
command_rules:
- name: block-dangerous
commands: ["rm", "shutdown", "reboot"]
decision: deny
---
---
signal_rules:
# Allow signals to self and children
- name: allow-self
signals: ["@all"]
target:
type: self
decision: allow
- name: allow-children
signals: ["@all"]
target:
type: children
decision: allow
# Redirect SIGKILL to graceful SIGTERM
- name: graceful-kill
signals: ["SIGKILL"]
target:
type: children
decision: redirect
redirect_to: SIGTERM
# Block fatal signals to external processes
- name: deny-external-fatal
signals: ["@fatal"]
target:
type: external
decision: deny
Ready-to-use snippets for configuring AI coding assistants to use agentsh:
Note: These examples are for local development scenarios where running the AI agent inside a container isn't practical. For production or CI/CD environments, prefer running agents in containers with the shell shim installed—see Use in Docker.
---
The fastest way to "get it" is to run something that spawns subprocesses and touches the filesystem/network.
```bash
./bin/agentsh server --config configs/server-config.yaml
env_allow, agentsh builds a minimal env (PATH/LANG/TERM/HOME) and strips built-in secret keys.env_allow/env_deny plus env_max_keys/env_max_bytes cap and filter the child env at exec time.env_block_iteration: true (global or per rule) hides env enumeration; set policies.env_shim_path to libenvshim.so so agentsh injects LD_PRELOAD + AGENTSH_ENV_BLOCK_ITERATION=1.BASH_ENV to disable shell builtins that bypass seccomp. Configure in sandbox.env_inject (global) or policy-level env_inject (overrides global).config.yml and policy samples under configs/.---
| Field | Values | Description |
|---|---|---|
visibility | silent, audit_only, warn | How redirects are logged/shown |
on_failure | fail_closed, fail_open, retry_original | What happens if redirect fails |
tls_mode | passthrough, rewrite_sni | TLS handling for connect redirect |
agentsh-mcp-protection-demo - live demo of cross-server exfiltration detection, rug pull blocking, and policy generationSECURITY.md - what agentsh protects against, known limitations, operator checklistSECURITY.md#external-kms-integration - AWS KMS, Azure Key Vault, HashiCorp Vault, GCP Cloud KMS for audit integrity keysconfigs/server-config.yamlconfigs/policies/default.yamlDockerfile.exampledocs/operations/policies.md - policy variables, signal rules, network redirectdocs/agentsh-db-access-spec.md - Postgres-only database enforcement scope, policy semantics, redirect behavior, and roadmapdocs/cookbook/command-policies.md - how to allow a new binary, when to use wrap instead of exec, and how to debug a denialdocs/cookbook/http-services.md - recipes for routing outbound HTTP API calls through declared services with rules and approval gatingdocs/cookbook/sandbox-sdk-integrations.md - shim_install config for Tensorlake / E2B / Modal / Daytona where commands run as siblings of the agentsh serverskills/ - AI-assistant skills for creating and editing policies in Claude Code, NanoClaw, etc.docs/platform-comparison.md - feature support, security scores, performance by platformdocs/bubblewrap-vs-agentsh-comparison.md - comparison with Bubblewrap for Linux container sandboxingdocs/agentsh-db-access-spec.md - PostgreSQL proxy taxonomy, effects model, database_rules, connection rules, threat modeldetect: docs/security-modes.md - enforcement modes, protection score, and what agentsh detect reportsdocs/seccomp.md - syscall filtering, execve interception, and socket-family blockingdocs/ptrace-support.md - PTRACE_SEIZE enforcement for restricted containers (attach_mode, seccomp prefilter)docs/ebpf.md - eBPF network tracing & policy enforcementdocs/llm-proxy.md - embedded proxy configuration, DLP patterns, usage trackingdocs/macos-build.md - ESF+NE build instructionsdocs/macos-esf-ne-architecture.md - System Extension, XPC, and deployment detailsdocs/macos-xpc-sandbox.md - XPC/Mach IPC control for sandboxed processesAGENTSH_* overrides, auto-start toggles, transport selection): docs/spec.md §15.3 "Environment Variables"configs/server-config.yaml and internal/netmonitoragentsh --help, agentsh exec --help, agentsh shim --help---
Created with the help of agents for agents.
创新的AI安全方案,填补Agent执行层安保空白。Go实现性能优秀,策略引擎灵活。适合安全审计要求高的企业应用。
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
✅ Apache 2.0 — 宽松开源协议,可商用,需保留版权声明和 NOTICE 文件,含专利授权条款。
总体来看,Agent Shell安全执行层 是一款质量优秀的AI工具,在同类工具中具备一定竞争力。AI Skill Hub 将持续追踪其更新动态,建议收藏备用,结合自身场景选择合适时机引入使用。
| 原始名称 | agentsh |
| 原始描述 | 开源AI工作流:Execution-Layer Security (ELS) for AI agents — policy-enforced shell with audit.。⭐300 · Go |
| Topics | AI安全智能体工作流Shell执行审计日志 |
| GitHub | https://github.com/canyonroad/agentsh |
| License | Apache-2.0 |
| 语言 | Go |
收录时间:2026-05-20 · 更新时间:2026-05-30 · License:Apache-2.0 · AI Skill Hub 不对第三方内容的准确性作法律背书。