今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

Your AI agent has sudo. I built a tool to take it away.

Hassan Mehmood 2026年06月21日 20:49 1 次阅读 来源:Dev.to

A few weeks ago I gave an AI agent access to my machine through MCP. It read files, opened PRs, queried a database. It was great — until I looked at what it could have done if a tool description had been poisoned, or a prompt injection had slipped through. The answer was: anything. ~/.ssh/id_rsa . DROP TABLE users . rm -rf / . The agent had sudo, and nobody had voted for that. So I built AgentPerms — a CLI that gives MCP agents least-privilege permissions the same way you'd lock down any other process: figure out the minimum it actually needs, pin it, prove it, and enforce it. pip install agentperms The gap nobody was filling MCP (the Model Context Protocol) is quietly becoming the USB-C of AI tooling. Claude Desktop, Cursor, VS Code, Windsurf, Gemini CLI — they all speak it. Which is wonderful, and also means your agent is one config file away from your filesystem, your repos, your inbox, and prod. The existing tools each do part of the job: Scanners tell you something looks risky. Then they leave. You still have a risky thing. Firewalls / allowlists make you hand-write YAML up front — before you have any idea what the agent will actually use. Neither closes the loop. What I wanted was the boring, proven security workflow we already use for everything else: observe real behavior → derive least privilege → enforce it → keep it honest in CI. That's the whole thesis of AgentPerms, as a pipeline: record → infer → lock → replay → enforce See it in 30 seconds (no setup, no network) AgentPerms ships with a deliberately over-privileged demo MCP server, so you can watch a real policy decision without wiring anything up: # Flag risky config: a ~/.ssh mount and an unpinned npx server agentperms scan --path examples/vulnerable-mcp-demo # Replay a pack of canned attacks against an example policy agentperms replay --policy examples/policies/example.mcp.policy.yaml Output: 8/8 attacks blocked. SSH-key exfiltration, .env reads, rm -rf / , unapproved email, force-push, repo deletio

本文内容来源于互联网,版权归原作者所有
查看原文