$ shellfirm
Agents & Automation

Why Automation Needs Guardrails

AI agents and automated scripts execute commands without human intuition about risk

AI coding agents are powerful. They read your codebase, write code, and execute shell commands to test, build, and deploy. But they lack the instinct that makes a human pause before running kubectl delete namespace production or rm -rf /.

The problem

When an AI agent misunderstands a prompt, the consequences are immediate and real:

  • "Clean up old deployments" becomes kubectl delete namespace production
  • "Reset the database" becomes DROP DATABASE app_production
  • "Remove build artifacts" becomes rm -rf / (missing the path argument)
  • "Force push the fix" becomes git push --force origin main

These are not hypothetical scenarios. AI agents operate at the speed of automation with the context of a text prompt. There is no moment of hesitation, no muscle memory that says "wait, this looks wrong."

Beyond AI agents

The same risk applies to any unattended command execution:

  • CI/CD pipelines -- a misconfigured deployment script can run destructive commands in production
  • Cron jobs -- scheduled tasks that silently run rm -rf or database cleanup scripts
  • ChatOps bots -- Slack commands that trigger infrastructure changes
  • Deployment scripts -- shell scripts that accept user input and pipe it into commands

How shellfirm helps

shellfirm provides structured safety checks for automated command execution through two interfaces:

MCP server (for AI agents)

The shellfirm mcp command starts a Model Context Protocol server that AI agents connect to over stdio. Agents call the check_command tool before executing any shell command. shellfirm returns a structured risk assessment with:

  • Whether the command is allowed
  • Matched patterns with severity and descriptions
  • Safer alternatives
  • Runtime context signals
  • Blast radius information

CLI check (for scripts and pipelines)

The shellfirm check command evaluates a command and returns a structured result:

shellfirm check --command "rm -rf /" --test
# Exit code 1 = risky, exit code 0 = safe

Auto-deny for unattended execution

When agents or scripts cannot present interactive challenges, shellfirm's auto-deny feature automatically blocks commands that meet or exceed a severity threshold:

agent:
  auto_deny_severity: High

Commands at or above High severity are denied. Commands below that threshold pass through.

What shellfirm does NOT do

shellfirm is a safety net, not a security boundary:

  • It does not prevent a determined human from bypassing it
  • It does not sandbox or jail processes
  • It does not enforce authentication or authorization
  • It provides guardrails that catch mistakes, not malice

Agents & Automation

Protect AI coding agents with MCP integration and automatic risk assessment

MCP Server

Run shellfirm as an MCP server for AI coding agents

On this page

The problemBeyond AI agentsHow shellfirm helpsMCP server (for AI agents)CLI check (for scripts and pipelines)Auto-deny for unattended executionWhat shellfirm does NOT do