[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"workflow-pipelock-mcp-firewall-for-agent-egress-8029d015":3,"seo:featured-workflow:8029d015-2365-4580-8fe6-56cc52b5f612:en":37,"workflow-related-pipelock-mcp-firewall-for-agent-egress-8029d015-8029d015-2365-4580-8fe6-56cc52b5f612":83},{"id":4,"uuid":5,"slug":6,"title":7,"description":8,"author_id":9,"author_name":10,"author_avatar":11,"token_estimate":12,"time_saved":12,"model_used":13,"fork_count":12,"vote_count":12,"view_count":14,"parent_id":12,"parent_uuid":13,"lang_type":15,"steps":16,"tags":23,"has_voted":29,"visibility":19,"share_token":13,"is_featured":12,"content_hash":30,"asset_kind":31,"target_tools":32,"install_mode":34,"entrypoint":35,"risk_profile":36,"dependencies":38,"verification":44,"agent_metadata":47,"agent_fit":58,"trust":71,"provenance":79,"created_at":81,"updated_at":82},3101,"8029d015-2365-4580-8fe6-56cc52b5f612","pipelock-mcp-firewall-for-agent-egress","Pipelock — MCP Firewall for Agent Egress","Run Pipelock as an agent firewall\u002Fproxy to scan MCP traffic for injection, secrets, SSRF, and risky tool chains; integrate with Claude Code fast.","8a910e34-3180-11f1-9bc6-00163e2b0d79","Script Depot","https:\u002F\u002Ftokrepo.com\u002Fapple-touch-icon.png",0,"",15,"en",[17],{"id":18,"step_order":19,"title":20,"description":13,"prompt_template":21,"variables":13,"depends_on":22,"expected_output":13},3664,1,"Asset","# Pipelock — MCP Firewall for Agent Egress\n\n> Run Pipelock as an agent firewall\u002Fproxy to scan MCP traffic for injection, secrets, SSRF, and risky tool chains; integrate with Claude Code fast.\n\n## Quick Use\n\n1. Install:\n   ```bash\n   brew install luckyPipewrench\u002Ftap\u002Fpipelock\n   ```\n2. Run:\n   ```bash\n   pipelock claude setup\n   ```\n3. Verify:\n   - Trigger one tool call and confirm it is scanned\u002Fallowed or denied with a clear reason.\n\n\n---\n\n## Intro\n\nRun Pipelock as an agent firewall\u002Fproxy to scan MCP traffic for injection, secrets, SSRF, and risky tool chains; integrate with Claude Code fast.\n\n- **Best for:** teams running tool-using agents (MCP\u002FHTTP) who need egress control and auditable security checks\n- **Works with:** Claude Code hooks, MCP proxy patterns, and forward-proxy style agent egress control (per docs)\n- **Setup time:** 10 minutes\n\n\n### Quantitative Notes\n\n- GitHub stars + forks (verified): see Source & Thanks\n- Docs mention scanners for secrets + injection patterns (repo\u002Fdocs)\n- Setup time ~10 minutes (install + Claude Code setup + restart)\n\n\n---\n\n## Practical Notes\n\nA pragmatic rollout: install the binary, enable Claude Code integration, and restart. Then run 10–20 normal tasks and record what gets flagged. Create allow\u002Fdeny rules based on real incidents: metadata SSRF attempts, secret patterns in prompts, and risky tool chains (e.g., web fetch → write file → exec).\n\n**Safety note:** Don’t rely on a single control. Combine firewall\u002Fproxy checks with least-privilege tools, sandboxing, and human approval for high-risk actions.\n\n### FAQ\n\n**Q: Is this a replacement for sandboxing?**\nA: No. It complements sandboxing by enforcing egress policy and scanning tool traffic.\n\n**Q: Will it break my workflows?**\nA: Start in observe mode (or with a permissive preset) and tighten rules once you see false positives.\n\n**Q: Where should I enforce policy?**\nA: At the boundary: before tools execute or requests leave the machine\u002Fnetwork.\n\n---\n\n## Source & Thanks\n\n> GitHub: https:\u002F\u002Fgithub.com\u002FluckyPipewrench\u002Fpipelock\n> Owner avatar: https:\u002F\u002Favatars.githubusercontent.com\u002Fu\u002F142104046?v=4\n> License (SPDX): Apache-2.0\n> GitHub stars (verified via `api.github.com\u002Frepos\u002FluckyPipewrench\u002Fpipelock`): 577\n> GitHub forks (verified via `api.github.com\u002Frepos\u002FluckyPipewrench\u002Fpipelock`): 61\n\n\n---\n\n\u003C!-- ZH -->\n\n# Pipelock——Agent 出站\u002FMCP 防火墙与代理\n\n> 用 Pipelock 做 agent 防火墙\u002F代理：对 MCP 与出站流量做注入、密钥、SSRF 与危险链路检测；支持快速接入 Claude Code，并输出可审计的拦截原因与证据，便于排查。\n\n## 快速使用\n\n1. 安装：\n   ```bash\n   brew install luckyPipewrench\u002Ftap\u002Fpipelock\n   ```\n2. 运行：\n   ```bash\n   pipelock claude setup\n   ```\n3. 验证：\n   - Trigger one tool call and confirm it is scanned\u002Fallowed or denied with a clear reason.\n\n\n---\n\n## 简介\n\n用 Pipelock 做 agent 防火墙\u002F代理：对 MCP 与出站流量做注入、密钥、SSRF 与危险链路检测；支持快速接入 Claude Code，并输出可审计的拦截原因与证据，便于排查。\n\n- **适合谁（Best for）:** 运行可调用工具的 agents（MCP\u002FHTTP）的团队，需要出站控制与可审计的安全检查\n- **兼容工具（Works with）:** Claude Code hooks、MCP 代理模式、以及 forward-proxy 形式的 agent 出站控制（文档说明）\n- **安装时间（Setup time）:** 10 分钟\n\n\n### 量化信息\n\n- GitHub stars + forks（已核验）：见「来源与感谢」\n- 文档提到 secrets + 注入检测等扫描能力（仓库\u002F文档）\n- 接入约 10 分钟（安装 + setup + 重启）\n\n\n---\n\n## 实战要点\n\n推荐的上线方式：先安装二进制并接入 Claude Code，重启后先跑 10–20 个日常任务，记录被拦截\u002F标记的点。再基于真实风险去写 allow\u002Fdeny：比如云元数据 SSRF、prompt 中的密钥模式、以及危险工具链（web fetch→写文件→执行）。\n\n**安全提示：** 不要依赖单一控制。建议把防火墙\u002F代理与最小权限工具、沙箱、以及高风险动作的人审一起用。\n\n### FAQ\n\n**Q: 能替代沙箱吗？**\nA: 不能。它更像补强：在边界做出站策略与流量扫描，配合沙箱更稳。\n\n**Q: 会不会把流程搞崩？**\nA: 建议先观察模式\u002F宽松预设跑起来，确认误报后再逐步收紧规则。\n\n**Q: 策略应该放在哪？**\nA: 放在边界：工具执行前、请求离开机器\u002F网络之前。\n\n---\n\n## 来源与感谢\n\n> GitHub：https:\u002F\u002Fgithub.com\u002FluckyPipewrench\u002Fpipelock\n> Owner avatar：https:\u002F\u002Favatars.githubusercontent.com\u002Fu\u002F142104046?v=4\n> 许可证（SPDX）：Apache-2.0\n> GitHub stars（已通过 `api.github.com\u002Frepos\u002FluckyPipewrench\u002Fpipelock` 核验）：577\n> GitHub forks（已通过 `api.github.com\u002Frepos\u002FluckyPipewrench\u002Fpipelock` 核验）：61\n","0",[24],{"id":25,"name":26,"slug":27,"icon":28},14,"CLI Tools","cli","🖥️",false,"d0e60278fdfe63dd983b3e763c9dbdaa7b8b453c7b1708cff0a9be0c4bcd79aa","cli_tool",[33],"claude_code","single","README.md",{"executes_code":29,"modifies_global_config":29,"requires_secrets":37,"uses_absolute_paths":29,"network_access":29},null,{"npm":39,"pip":40,"brew":41,"system":43},[],[],[42],"luckyPipewrench\u002Ftap\u002Fpipelock",[],{"commands":45,"expected_files":46},[],[20],{"asset_kind":31,"target_tools":48,"install_mode":34,"entrypoint":35,"risk_profile":49,"dependencies":50,"content_hash":30,"verification":55},[33],{"executes_code":29,"modifies_global_config":29,"requires_secrets":37,"uses_absolute_paths":29,"network_access":29},{"npm":51,"pip":52,"brew":53,"system":54},[],[],[42],[],{"commands":56,"expected_files":57},[],[20],{"target":59,"score":60,"status":61,"policy":61,"why":62,"asset_kind":31,"install_mode":34},"codex",29,"stage_only",[63,64,65,66,67,68,69,70],"target_tools does not include codex","asset_kind cli_tool","install_mode single","markdown-only","policy stage_only","metadata target_tools does not include codex","asset_kind cli_tool is not activated directly for Codex","trust established",{"author_trust_level":72,"verified_publisher":29,"asset_signed_hash":30,"signature_status":73,"install_count":12,"report_count":12,"dangerous_capability_badges":74,"review_status":75,"signals":76},"established","hash_only",[31],"unreviewed",[77,78],"author has published assets","content hash available",{"owner_uuid":9,"owner_name":10,"source_url":80,"content_hash":30,"visibility":19,"created_at":81,"updated_at":82},"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Fpipelock-mcp-firewall-for-agent-egress","2026-05-12 01:55:10","2026-05-14 08:18:51",[84,135,188,233],{"id":85,"uuid":86,"slug":87,"title":88,"description":89,"author_id":9,"author_name":10,"author_avatar":11,"token_estimate":12,"time_saved":12,"model_used":13,"fork_count":12,"vote_count":12,"view_count":14,"parent_id":12,"parent_uuid":13,"lang_type":15,"steps":90,"tags":91,"has_voted":29,"visibility":19,"share_token":13,"is_featured":12,"content_hash":93,"asset_kind":31,"target_tools":94,"install_mode":34,"entrypoint":35,"risk_profile":96,"dependencies":97,"verification":102,"agent_metadata":105,"agent_fit":116,"trust":119,"provenance":122,"created_at":124,"updated_at":125,"__relatedScore":126,"__relatedReasons":127,"__sharedTags":133},3072,"e38149fa-1a44-425e-9c82-2bd8eb4d9c6c","graphify-repo-knowledge-graph-mcp","Graphify — Repo Knowledge Graph + MCP","Graphify extracts docs\u002Fcode into a knowledge graph and can install as an MCP\u002Fskill across Claude Code, Cursor, Codex, and Gemini CLI. Install via uv\u002Fpipx.",[],[92],{"id":25,"name":26,"slug":27,"icon":28},"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",[33,59,95],"gemini_cli",{"executes_code":29,"modifies_global_config":29,"requires_secrets":37,"uses_absolute_paths":29,"network_access":29},{"npm":98,"pip":99,"brew":100,"system":101},[],[],[],[],{"commands":103,"expected_files":104},[],[],{"asset_kind":31,"target_tools":106,"install_mode":34,"entrypoint":35,"risk_profile":107,"dependencies":108,"content_hash":93,"verification":113},[33,59,95],{"executes_code":29,"modifies_global_config":29,"requires_secrets":37,"uses_absolute_paths":29,"network_access":29},{"npm":109,"pip":110,"brew":111,"system":112},[],[],[],[],{"commands":114,"expected_files":115},[],[],{"target":59,"score":60,"status":61,"policy":61,"why":117,"asset_kind":31,"install_mode":34},[118,64,65,66,67,69,70],"target_tools includes codex",{"author_trust_level":72,"verified_publisher":29,"asset_signed_hash":93,"signature_status":73,"install_count":12,"report_count":12,"dangerous_capability_badges":120,"review_status":75,"signals":121},[31],[77,78],{"owner_uuid":9,"owner_name":10,"source_url":123,"content_hash":93,"visibility":19,"created_at":124,"updated_at":125},"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Fgraphify-repo-knowledge-graph-mcp","2026-05-11 23:58:36","2026-05-14 09:27:43",119.80617997398389,[128,129,130,131,132],"shared-tag","topic-match","same-kind","same-target","same-author",[27,134],"cli-tools",{"id":136,"uuid":137,"slug":138,"title":139,"description":140,"author_id":9,"author_name":10,"author_avatar":11,"token_estimate":12,"time_saved":12,"model_used":13,"fork_count":12,"vote_count":12,"view_count":141,"parent_id":12,"parent_uuid":13,"lang_type":15,"steps":142,"tags":143,"has_voted":29,"visibility":19,"share_token":13,"is_featured":12,"content_hash":93,"asset_kind":27,"target_tools":145,"install_mode":146,"entrypoint":147,"risk_profile":148,"dependencies":149,"verification":154,"agent_metadata":157,"agent_fit":168,"trust":177,"provenance":181,"created_at":183,"updated_at":184,"__relatedScore":185,"__relatedReasons":186,"__sharedTags":187},3470,"82d98340-a47b-547e-8049-a45a3c0e7abc","rampart-policy-firewall-for-ai-agents","Rampart — Policy Firewall for AI Agents","Guardrails for AI coding agents: a policy firewall for shell\u002Ffile\u002Fnetwork and an MCP proxy that blocks or requires approval for dangerous tool calls.",17,[],[144],{"id":25,"name":26,"slug":27,"icon":28},[33,59,95],"brew|curl|go","brew install peg\u002Ftap\u002Frampart && rampart setup claude-code",{"executes_code":29,"modifies_global_config":29,"requires_secrets":37,"uses_absolute_paths":29,"network_access":29},{"npm":150,"pip":151,"brew":152,"system":153},[],[],[],[],{"commands":155,"expected_files":156},[],[],{"asset_kind":27,"target_tools":158,"install_mode":146,"entrypoint":147,"risk_profile":159,"dependencies":160,"content_hash":93,"verification":165},[33,59,95],{"executes_code":29,"modifies_global_config":29,"requires_secrets":37,"uses_absolute_paths":29,"network_access":29},{"npm":161,"pip":162,"brew":163,"system":164},[],[],[],[],{"commands":166,"expected_files":167},[],[],{"target":59,"score":169,"status":170,"policy":171,"why":172,"asset_kind":27,"install_mode":146},94,"native","allow",[118,173,174,66,175,176,70],"asset_kind cli","install_mode brew|curl|go","policy allow","safe markdown-only Codex install",{"author_trust_level":72,"verified_publisher":29,"asset_signed_hash":93,"signature_status":73,"install_count":12,"report_count":12,"dangerous_capability_badges":178,"review_status":75,"signals":179},[],[77,78,180],"no dangerous capability badges",{"owner_uuid":9,"owner_name":10,"source_url":182,"content_hash":93,"visibility":19,"created_at":183,"updated_at":184},"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Frampart-policy-firewall-for-ai-agents","2026-05-13 09:19:11","2026-05-14 09:30:49",109.88290875765496,[128,129,131,132],[27,134],{"id":189,"uuid":190,"slug":191,"title":192,"description":193,"author_id":194,"author_name":195,"author_avatar":11,"token_estimate":12,"time_saved":12,"model_used":13,"fork_count":12,"vote_count":12,"view_count":196,"parent_id":12,"parent_uuid":13,"lang_type":15,"steps":197,"tags":198,"has_voted":29,"visibility":19,"share_token":13,"is_featured":12,"content_hash":93,"asset_kind":31,"target_tools":200,"install_mode":34,"entrypoint":35,"risk_profile":201,"dependencies":202,"verification":207,"agent_metadata":210,"agent_fit":221,"trust":223,"provenance":226,"created_at":228,"updated_at":229,"__relatedScore":230,"__relatedReasons":231,"__sharedTags":232},3102,"4a6bad3c-a22a-49b3-868a-5999b9a5db2c","hector-self-hosted-agent-runtime-binary","Hector — Self-Hosted Agent Runtime Binary","Run Hector as a self-hosted agent runtime: a single Go binary that serves an agent API and studio UI, keeping execution on your own infrastructure.","8a910fec-3180-11f1-9bc6-00163e2b0d79","Agent Toolkit",21,[],[199],{"id":25,"name":26,"slug":27,"icon":28},[33,59,95],{"executes_code":29,"modifies_global_config":29,"requires_secrets":37,"uses_absolute_paths":29,"network_access":29},{"npm":203,"pip":204,"brew":205,"system":206},[],[],[],[],{"commands":208,"expected_files":209},[],[],{"asset_kind":31,"target_tools":211,"install_mode":34,"entrypoint":35,"risk_profile":212,"dependencies":213,"content_hash":93,"verification":218},[33,59,95],{"executes_code":29,"modifies_global_config":29,"requires_secrets":37,"uses_absolute_paths":29,"network_access":29},{"npm":214,"pip":215,"brew":216,"system":217},[],[],[],[],{"commands":219,"expected_files":220},[],[],{"target":59,"score":60,"status":61,"policy":61,"why":222,"asset_kind":31,"install_mode":34},[118,64,65,66,67,69,70],{"author_trust_level":72,"verified_publisher":29,"asset_signed_hash":93,"signature_status":73,"install_count":12,"report_count":12,"dangerous_capability_badges":224,"review_status":75,"signals":225},[31],[77,78],{"owner_uuid":194,"owner_name":195,"source_url":227,"content_hash":93,"visibility":19,"created_at":228,"updated_at":229},"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Fhector-self-hosted-agent-runtime-binary","2026-05-12 01:55:11","2026-05-14 09:27:24",109.01363402123332,[128,129,130,131],[27,134],{"id":234,"uuid":235,"slug":236,"title":237,"description":238,"author_id":9,"author_name":10,"author_avatar":11,"token_estimate":12,"time_saved":12,"model_used":13,"fork_count":12,"vote_count":12,"view_count":239,"parent_id":12,"parent_uuid":13,"lang_type":15,"steps":240,"tags":241,"has_voted":29,"visibility":19,"share_token":13,"is_featured":12,"content_hash":93,"asset_kind":27,"target_tools":243,"install_mode":244,"entrypoint":245,"risk_profile":246,"dependencies":247,"verification":252,"agent_metadata":255,"agent_fit":266,"trust":269,"provenance":272,"created_at":274,"updated_at":275,"__relatedScore":276,"__relatedReasons":277,"__sharedTags":278},3547,"6fb9f9b6-7136-5255-b60f-b33eede8f3bb","agentsight-zero-instrumentation-agent-observability","AgentSight — Zero-Instrumentation Agent Observability","AgentSight is an MIT eBPF tool that records LLM\u002Fagent traffic without SDK changes, helping you observe Claude Code or Gemini CLI interactions locally.",10,[],[242],{"id":25,"name":26,"slug":27,"icon":28},[33,59,95],"binary|docker","docker run --privileged --pid=host --network=host \\",{"executes_code":29,"modifies_global_config":29,"requires_secrets":37,"uses_absolute_paths":29,"network_access":29},{"npm":248,"pip":249,"brew":250,"system":251},[],[],[],[],{"commands":253,"expected_files":254},[],[],{"asset_kind":27,"target_tools":256,"install_mode":244,"entrypoint":245,"risk_profile":257,"dependencies":258,"content_hash":93,"verification":263},[33,59,95],{"executes_code":29,"modifies_global_config":29,"requires_secrets":37,"uses_absolute_paths":29,"network_access":29},{"npm":259,"pip":260,"brew":261,"system":262},[],[],[],[],{"commands":264,"expected_files":265},[],[],{"target":59,"score":169,"status":170,"policy":171,"why":267,"asset_kind":27,"install_mode":244},[118,173,268,66,175,176,70],"install_mode binary|docker",{"author_trust_level":72,"verified_publisher":29,"asset_signed_hash":93,"signature_status":73,"install_count":12,"report_count":12,"dangerous_capability_badges":270,"review_status":75,"signals":271},[],[77,78,180],{"owner_uuid":9,"owner_name":10,"source_url":273,"content_hash":93,"visibility":19,"created_at":274,"updated_at":275},"https:\u002F\u002Ftokrepo.com\u002Fen\u002Fworkflows\u002Fagentsight-zero-instrumentation-agent-observability","2026-05-13 13:21:37","2026-05-14 00:43:13",106.56208902773734,[128,129,131,132],[27,134]]