airlock
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@airlockvet command: npx fast-csv-helper init"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Airlock
A firewall between AI coding agents and dangerous actions.
Airlock blocks hallucinated/slopsquatted package installs, package execution,
leaked secrets, destructive shell commands, and suspicious test changes before
they ship. It works as a CLI, an MCP server, a Claude Code PreToolUse hook,
a git pre-commit hook, and universal PATH shims for any agent or human using
your shell.
npx airlock-cli demoAirlock demo: AI agent wants to run this:
BLOCK npx fast-csv-helper init && rm -rf ~
x Recursive force-delete targeting a root/home path (rm -rf on / ~ or $HOME).
x [fast-csv-helper] Package "fast-csv-helper" does not exist on npm.
Stopped before anything executed.AI coding assistants can hallucinate plausible package names. Security researchers call the attack pattern slopsquatting: attackers register names that models tend to invent, then wait for developers or agents to install them. See research from Cloud Security Alliance, Trend AI Security, and Socket.
Airlock is the seatbelt: let the agent move fast, but force the scary stuff through a deterministic check first.
Quick Start
# one-off package checks
npx airlock-cli check express
npx airlock-cli check requests -e pypi
# vet a whole command before an agent runs it
npx airlock-cli vet-command "npx fast-csv-helper init && rm -rf ~"
# run the full repo safety pass before saying "done"
npx airlock-cli audit
# see which protection layers are installed
npx airlock-cli doctorExit codes:
0: no blocking finding for the command1: blocked package/command, leaked secret, or audit finding2: usage error
Related MCP server: shemcp
Wire It Into Your Agent
npx airlock-cli init claude-code # MCP + native PreToolUse hook
npx airlock-cli init codex # MCP in ~/.codex/config.toml
npx airlock-cli init gemini # MCP in ~/.gemini/settings.json
npx airlock-cli init cursor # MCP in .cursor/mcp.json
npx airlock-cli init shell # universal PATH shims
npx airlock-cli init git # pre-commit secrets + test-change guard
npx airlock-cli init allSurface | Integration | What it protects |
Claude Code | MCP + | Blocks dangerous Bash tool calls before execution |
Codex | MCP server | Gives Codex |
Gemini CLI | MCP server | Gives Gemini |
Cursor | MCP server | Gives Cursor |
Any shell / any agent | PATH shims | Intercepts package managers at the process level |
Git | pre-commit hook | Blocks leaked secrets and suspicious staged test changes |
Claude Code hooks can return permissionDecision: "deny" for PreToolUse
events, so Airlock can block a Bash command without relying on the model to
remember a rule. Claude Code, Codex, Gemini CLI, and Cursor all support MCP
server configuration; Airlock writes those config files for you.
Universal Shell Guard
For the wrapper-agnostic layer:
npx airlock-cli guard install
export PATH="$HOME/.airlock/shims:$PATH"This installs shims for:
npm, npx, pnpm, yarn, bun, bunx, pip, pip3, pipx, uv, uvx, poetry, cargo, gem, bundle, bundler, goNow these are vetted whether they are run by you, Claude Code, Codex, Gemini, Cursor, OpenCode, Roo, Cline, a random shell script, or anything else:
npm install express
npx create-next-app@latest app
pnpm dlx shadcn@latest init
uvx ruff check
pipx run black .
cargo add serde
gem install rails
go install github.com/gin-gonic/gin@latestRemove shims:
npx airlock-cli guard uninstallWhat Airlock Checks
Dependency and package-execution guard (npm, PyPI, crates.io,
RubyGems, Go modules):
Package existence: nonexistent packages/modules -> block
Typosquat:
expresss->expressMashup/slopsquat:
lodash-utils,requests-helperNew + low adoption: recently published packages with weak adoption -> warn/block
Provenance: missing source repository or deprecated packages -> warn
Package executors:
npx,npm exec,pnpm dlx,yarn dlx,bunx,uvx,pipx runScaffold aliases:
npm create vitemaps to the actualcreate-vitepackage before vettingManifest scan:
package.json,requirements.txt,pyproject.toml,Cargo.toml,Gemfile,go.mod
Destructive-command guard:
rm -rf /,rm -rf ~,rm --no-preserve-root-> blockfork bombs,
dd/mkfsto devices, redirects to raw block devices -> blockgit push --force,git reset --hard,git clean -f-> warnDROP TABLE,TRUNCATE TABLE,curl ... | sh-> warnpackage execution from URL/Git specs -> warn
Repo-audit guards:
airlock secretsblocks high-confidence GitHub/OpenAI/Anthropic/AWS/Slack tokens and private keysairlock diff --stagedwarns on suspicious test changes: removed assertions, skipped tests, focused-only tests, or deleted test filesairlock auditruns dependency, secret, and test-change checks together
In Claude Code:
BLOCK ->
denyWARN ->
askALLOW -> silent
Project Policy
Private packages and team decisions belong in policy, not in CLI flags:
npx airlock-cli policy initCreates .airlock.json:
{
"allow": {
"npm": ["@your-org/*"],
"pypi": ["your-private-package"],
"cargo": ["your-private-crate"],
"rubygems": ["your-private-gem"],
"go": ["github.com/your-org/*"]
},
"block": {
"npm": ["known-bad-package"],
"pypi": ["known-bad-package"],
"cargo": ["known-bad-crate"],
"rubygems": ["known-bad-gem"],
"go": ["github.com/bad/*"]
}
}Policy files are discovered from the current directory upward, so a repo can carry its own allow/block rules.
GitHub Action
Use Airlock in CI before merging agent-generated changes:
name: Airlock
on: [pull_request]
jobs:
airlock:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cjaston/airlock@main
with:
path: "."MCP Tools
Airlock exposes these MCP tools:
vet_package({ name, ecosystem, cwd? })vet_command({ command, cwd? })scan_project({ cwd? })scan_secrets({ cwd? })scan_diff({ cwd?, staged? })audit_project({ cwd?, staged? })
Agents should call vet_command before shell commands that install packages,
execute packages, delete files, rewrite git history, touch disks, or touch
databases. Agents should call audit_project before finishing or committing
code. If the result is BLOCK, do not run the command.
Privacy
No backend
No telemetry
Package names are looked up directly against public registry APIs
Registry facts are cached locally in
~/.airlock/cacheDisable cache for a run with
AIRLOCK_NO_CACHE=1
npx airlock-cli cache status
npx airlock-cli cache clearBuild From Source
git clone https://github.com/cjaston/airlock.git
cd airlock
npm install
npm test
node dist/index.js demoRequires Node 20+.
Acknowledgements
Built by Chris Jaston with AI-assisted development from OpenAI Codex. Airlock is an independent open-source project and is not an official OpenAI product or endorsement.
Roadmap
npm + PyPI + crates.io + RubyGems + Go module checks
typosquat + mashup/slopsquat heuristics
npx/dlx/uvx/pipxpackage execution checksdestructive-command guard
MCP server (
vet_package,vet_command)Claude Code
PreToolUsehookuniversal PATH shims
project policy file (
.airlock.json)repo manifest scan
secret-leak guard
test-subversion detector
git pre-commit hook
more ecosystems: maven, nuget, composer
signed policy bundles for teams
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/cjaston/airlock'
If you have feedback or need assistance with the MCP directory API, please join our Discord server