airlock
A security gate MCP server that audits agent extensions (skills, MCP servers, tools) by scanning for risks, adversarial analysis, and sandbox execution, returning a trust verdict of allow, quarantine, or block.
README
Airlock
A security gate for agent extensions. Airlock audits a skill, MCP server, or tool repository before it is allowed to touch your agent. Point it at an artifact and it enumerates what the artifact is, scans it for risky shapes, reads it adversarially with a model, detonates it once inside a hardened sandbox, and returns a trust scorecard with a single verdict: allow, quarantine, or block.
Python 3.10+, MIT licensed.
The problem
Agents now install extensions the way apps install packages. A skill is a folder with a SKILL.md and some scripts; an MCP server is a one-line add. Both run with access to your tools, your files, and your environment. The registries that host them are filling faster than anyone is vetting them, and roughly one in eight public skills has been found to carry a critical vulnerability.
The extension you install today can read your ~/.aws/credentials, dump your environment to a remote host, or hide a line in its SKILL.md that tells your agent to reveal its system prompt. A careful manual review is thirty to sixty minutes of an expert reading code and declared permissions. Most people skip it and install on faith.
What Airlock does
Airlock turns that manual review into a repeatable fifteen-second gate. It runs five stages, and the gate at the end is deterministic, so a model is never the last word on whether something dangerous gets in.
- Recon enumerates the artifact's bill of materials: its files, its
SKILL.mdfrontmatter, its declared permissions, and its executable entrypoints. - The static scan matches the code and the
SKILL.mdagainst a corpus of risky shapes: credential-file reads, environment exfiltration, base64 and network pairings, reverse-shell patterns, package lifecycle hooks, and prompt-injection phrasing. - The adversarial judge, a Gemini model, reads the artifact for intent the patterns miss: a novel exfiltration path, an injection buried in prose, a mismatch between what
SKILL.mdpromises and what the code does. - The sandbox trial detonates the artifact once inside a container with no network, a read-only root, every Linux capability dropped, and hard caps on memory, processes, and time. The environment is seeded with canary secrets. If the artifact reaches for one, Airlock sees it.
- The trust policy fuses every signal into a grade, a tier, and a verdict. A critical finding, a canary touch, or a judged exfiltration is always a block. The model can escalate a verdict; it can never relax one.
How it works
Recon runs first and hands every later stage the same bill of materials. The static scan, the judge, and the sandbox then examine the artifact independently; none of them sees another's output, so a miss in one can't propagate. The trust policy fuses the three signals into the grade, the tier, and the verdict the scorecard reports.
The static scan and the judge are deliberately decorrelated: one matches known shapes, the other reasons about intent, and either can catch what the other misses. The sandbox turns a claim into an observation. The trust policy is plain code, so the same artifact always gets the same verdict, and a wrong or absent judgment can only ever be safe. See docs/architecture.md for the data flow and docs/security-model.md for the threat model, including how Airlock defends itself against an artifact that tries to prompt-inject the auditor.
Quickstart
conda create -n airlock python=3.12 -y
conda activate airlock
pip install -e ".[sandbox,dev]"
# Audit a known-bad example. Deterministic core, no key needed.
airlock audit examples/malicious-skill --no-llm
# Audit a safe one.
airlock audit examples/benign-skill --no-llm
The malicious example comes back grade F, blocked, with the injection line and the credential read cited. The benign one comes back grade A, allowed. Exit codes gate a pipeline: 0 allow, 1 quarantine, 2 block.
Turn on the full pipeline with a key and Docker running:
cp .env.example .env # then set GOOGLE_API_KEY
airlock audit examples/malicious-skill
The sandbox trial detonates the example and reports the canary secrets it emitted. A Google AI Studio key enables the adversarial judge.
To see the whole flow in one place, notebook/airlock_demo.ipynb audits the malicious and benign examples, runs the eval, and falls back to the deterministic core when there is no key or Docker. On Kaggle it reads GOOGLE_API_KEY from Secrets.
Airlock also runs as an MCP server, so an agent can gate an install without shelling out:
airlock-mcp # or: python -m airlock.mcp_server
It speaks JSON-RPC over stdio and offers one tool, audit_extension(path, use_llm?, use_sandbox?), that returns the same verdict the CLI does. The tool defaults to the deterministic core, so it answers with no key and no Docker.
Demonstrated concepts
Airlock is built for the AI Agents Intensive capstone and demonstrates the course concepts with working code, not claims.
| Concept | Where it lives |
|---|---|
| Multi-agent system (ADK) | src/airlock/agents/adk_pipeline.py: a SequentialAgent of scanner, judge, and gate agents |
| Security features | the whole product: sandboxing, deterministic guardrails, injection defense (docs/security-model.md) |
| Deployability | Dockerfile and src/airlock/server.py for Cloud Run; notebook/airlock_demo.ipynb runs it end to end in Kaggle |
| Agent skills | Airlock audits SKILL.md skills and ships as one you can install (skill/SKILL.md) |
| MCP server | src/airlock/mcp_server.py exposes audit_extension over MCP so an agent can gate an install inline |
| Evaluation | eval/run_eval.py scores detection accuracy over a labeled corpus |
Evaluation
python eval/run_eval.py # deterministic core, reproducible offline
python eval/run_eval.py --full # with the judge and the sandbox
The script runs the gate over eval/labels.json, a hand-built corpus of 22 fixtures: 10 malicious extensions covering distinct attack shapes (credential-file reads, environment exfiltration, a reverse shell, a curl | bash installer, an npm postinstall hook, SKILL.md prompt injection, an obfuscated loader, and an MCP server that scrapes the environment) and 12 benign utilities, several of which look suspicious but are not, like a base64 tool and a password-strength checker.
On the deterministic core the gate catches all 10 malicious fixtures and clears all 12 benign ones: recall 100%, precision 100%. Every malicious fixture is inert, targets a non-routable .invalid host, and carries a header marking it a test fixture. tests/test_corpus.py asserts each fixture still reaches its labeled verdict, so a rule change that breaks the number fails the build. Add a folder under eval/fixtures/, label it in eval/labels.json, and rerun.
Roadmap
- Live MCP-server auditing by connecting to a target server and trialing its declared tools, not just reading its manifest.
- An egress detector in the sandbox: a fake metadata endpoint and a DNS sink, so a silent exfiltrator that swallows its errors is still caught.
- The runtime side: watch an installed extension's behavior over time, not just at install.
- More languages in the scanner and the sandbox beyond Python and shell.
License
MIT. See LICENSE.
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器
Exa MCP Server
模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。