agent-airlock

v0.8.9 suspicious
8.0
High Risk

The Pydantic-based Firewall for MCP Servers. Stops hallucinated tool calls, validates schemas, and sandboxes dangerous operations.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits multiple high-risk behaviors including direct shell executions and obfuscation techniques that are commonly associated with malicious intent. While not conclusive evidence of a supply-chain attack, the package should be treated with caution.

  • Direct shell command execution
  • Use of obfuscation techniques
Per-check LLM notes
  • Network: The presence of network calls without proper validation or error handling could indicate potential security issues such as directory traversal attacks.
  • Shell: Direct use of `os.system()` and `subprocess.check_output(shell=True)` poses significant risks, suggesting possible execution of arbitrary commands which can be exploited for malicious activities.
  • Obfuscation: The use of base64 and cloudpickle for decoding payloads suggests potential for executing arbitrary code, indicative of obfuscation techniques often used in malicious contexts.
  • Credentials: References to system files like /etc/passwd and /etc/shadow, along with metadata URLs, suggest the package may be harvesting credentials from various sources.
  • Metadata: The maintainer's author information is incomplete, and there are non-secure external links which could indicate potential risks.

🔬 Heuristic Checks

Outbound Network Calls score 4.5

Found 3 network call pattern(s)

  • pi_call(): return requests.get(url) """ config = RetryConfig( max_retries=m
  • feURL) -> str: return requests.get(url).text The validators reject: - Directory traversal
  • L) -> str: return requests.get(url).text """ validator = SafeURLValidator(
Code Obfuscation score 10.0

Found 6 obfuscation pattern(s)

  • zed_payload}" payload_bytes = base64.b64decode(payload_b64) payload = cloudpickle.loads(payload_bytes) # S
  • sult_data = cloudpickle.loads(base64.b64decode(result_b64)) if result_data.get("success"):
  • " payload = cloudpickle.loads(base64.b64decode(payload_b64)) func = payload["func"] args = payload["args"]
  • n(", "new Function", "eval(", "Deno.eval", "vm.runInNewContext", ) class Flow
  • lculate Server < 0.1.1 uses ``eval()`` to evaluate mathematical expressions without input s
  • ; this one targets bare ``eval(`` / ``parse_expr(`` calls. Primary source: https
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • os\.system\(", "AIRLOCK002", "os.system() detected"), (r"eval\(", "AIRLOCK003", "eval() dete
  • : str) -> str: return subprocess.check_output(cmd, shell=True) """ from __future__ import annotations im
  • all this immediately before ``subprocess.Popen(cmd, shell=False)`` when the Popen is being driven b
  • cmd: argv list, as for ``subprocess.Popen(args=[...])``. Raises: MCPSecurityError
  • "import subprocess; subprocess.run(['pip', 'install', 'cloudpickle', '-q'])" )
  • subprocess.check_output(cmd, shell=True) """ from __future__ import annotations import functools
Credential Harvesting score 10.0

Found 6 credential access pattern(s)

  • h as ``"8080 --kubeconfig=/etc/shadow"`` thereby became extra flags rather than data. Sentine
  • m, *.key) - System files (/etc/passwd, /etc/shadow) - Metadata URLs (AWS/GCP) - File URLs
  • - System files (/etc/passwd, /etc/shadow) - Metadata URLs (AWS/GCP) - File URLs (file://)
  • r/*", # System files "/etc/passwd", "/etc/shadow", "/etc/hosts", "/etc/sudoers",
  • files "/etc/passwd", "/etc/shadow", "/etc/hosts", "/etc/sudoers", "/proc/*",
  • swd", "/etc/shadow", "/etc/hosts", "/etc/sudoers", "/proc/*", "/sys/*", # ma
Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: example.com>

Suspicious Page Links score 4.0

Found 2 suspicious link(s) on the package page

  • Non-HTTPS external link: http://makeapullrequest.com
  • Non-HTTPS external link: http://otel-collector:4317
Git Repository History

Repository sattyamjjain/agent-airlock appears legitimate

Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agent-airlock 
Create a mini-application named 'SafeToolExec' that leverages the 'agent-airlock' package to ensure secure execution of user-provided tools on a Multi-Cloud Platform (MCP). This application will serve as a secure sandbox where users can input code snippets or commands for execution, but only if they pass through the stringent validation and sanitization checks provided by 'agent-airlock'. The application should have the following functionalities:

1. User Interface: Develop a simple web interface using Flask, allowing users to input their code snippets or commands.
2. Input Validation: Utilize 'agent-airlock' to validate the input against predefined schemas to prevent any form of injection attacks or malicious code execution.
3. Execution Sandboxing: Ensure that any validated input is executed in a safe, isolated environment, preventing any unintended access or modifications to the underlying system.
4. Feedback Mechanism: Provide users with feedback on whether their input was valid and successfully executed, or if it was rejected due to security concerns.
5. Logging & Monitoring: Implement logging and monitoring capabilities to track all attempts at code execution, including details about the input, validation status, and execution outcome.

The application should demonstrate the core features of 'agent-airlock', such as its ability to stop hallucinated tool calls, validate schemas, and sandbox dangerous operations, ensuring a secure environment for tool execution on MCP servers.