Agentsh

Agentsh

Execution-layer security gateway that enforces syscall policy on AI agents at runtime.

69/100MonitorFreeFree

If you're running autonomous agents in production and want security that can't be bypassed by clever prompts, agentsh is the most practical option. Open-source, syscall-level enforcement, and simple CLI integration make it a strong pick for teams comfortable with the command line. Don't expect a managed dashboard or low-code setup.

Best for
  • Developers building autonomous AI agents in production and needing deterministic security
  • Security engineers enforcing runtime policy beyond prompt guardrails
  • Teams deploying agents via sandbox platforms (E2B, Vercel, Modal, etc.)
  • Organizations requiring audit-grade logs for compliance (subprocess trees, syscalls)
Not ideal for
  • Low-code/no-code builders who want a managed UI for agent security
  • Teams needing a centralized SaaS management dashboard (no cloud console yet)
  • Users without development or sysadmin experience (requires CLI installation)
Visit Website

IntermediateCLINo public APIVerified 12d ago
Pricing
Free
FreeFree tier
Learning curve
Intermediate
Runs on
CLI
No public API · 12 integrations
Integrates with
E2BSpritesDaytonaBlaxelVercelModal+6 more
Live sentiment
Is Agentsh actually worth it?

We scan live Reddit threads, YouTube comments, X posts, G2 reviews and other communities — and hand you an honest verdict in under a minute.

  • Honest verdict, not marketing
  • Real pros & cons from real users
  • Attributed quotes with receipts
Run a free scan

3 free scans · no card needed

In short

Agentsh — Execution-layer security gateway that enforces syscall policy on AI agents at runtime. Best for Developers building autonomous AI agents in production and needing deterministic security, Security engineers enforcing runtime policy beyond prompt guardrails, Teams deploying agents via sandbox platforms (E2B, Vercel, Modal, etc.). Free to use.

Viability Score

69/100
Monitor

How likely is Agentsh to still be operational in 12 months? Based on 4 signals — momentum (how recently it shipped), wrapper dependency, revenue model, and web presence.

momentum
55
funding runway
40
website health
90
wrapper dependency
100

Last calculated: July 2026

How we score →

Key Features

  • Execution-layer security: intercepts file, network, and process syscalls at runtime
  • Prompt-proof enforcement: overrides any agent prompt, tool output, or jailbreak
  • Full audit log with subprocess tree visibility
  • Approval gates: risky operations require human or CI confirmation
  • Policy engine: allow, deny, approve, redirect, audit, soft_delete actions
  • Drop-in deployment: shim between agent harness and OS, no code changes
  • Subprocess blind spot detection: captures pip installs, npm scripts, makefiles
  • Secret exposure prevention: controls access to environment variables and credentials
  • Cross-platform installation: macOS (Homebrew), Linux (deb, rpm, arch, alpine, source)
  • Multi-architecture support: amd64 and arm64 for Linux
  • Container deployment via shell shim (replaces /bin/bash and /bin/sh)
  • Harness wrapping: runs entire agent harness under policy control
  • SDK integrations for E2B, Sprites, Daytona, Blaxel, Vercel, Modal, Cloudflare, Deno, exe.dev, Runloop, Freestyle,
  • Structured event output for external logging systems
  • Quarantine with restore via soft_delete

About Agentsh

FreeIntermediateNo APICLI

Agentsh is an open-source, execution-layer security gateway for AI agents. It intercepts file, network, and process operations at the system call level — regardless of the agent's prompt or tool output — and enforces deterministic policy actions: allow, deny, require approval, redirect, or quarantine. Designed for developers and security teams deploying autonomous agents in production, agentsh integrates as a drop-in shim between the agent harness (Claude, GPT, Cursor, etc.) and the operating system. It provides prompt-proof enforcement: even if an agent is jailbroken or subject to prompt injection, the execution policy remains unchanged. Key capabilities include: syscall-level interception of file, network, and process activity; full audit logging with subprocess tree visibility; approval gates for risky operations; and a soft_delete quarantine with restore. Agentsh captures subprocess blind spots like pip installs, npm scripts, and makefiles that typical prompt-level guardrails miss. It also prevents secret exposure by controlling access to environment variables and credentials. The project ships as a CLI tool with packages for macOS (Homebrew), Linux (deb, rpm, arch, alpine), and multi-architecture support (amd64 and arm64). Container deployment is supported via a shell shim that swaps /bin/bash and /bin/sh. Agentsh integrates with sandbox platforms including E2B, Vercel, Modal, Cloudflare, Deno, and others via npm or pip SDK packages. It can wrap the entire agent harness to catch built-in file/network tools, not just shell commands. The open-source Apache 2.0 license allows self-hosting and customization. Unlike prompt-based guardrails, agentsh enforces at the syscall boundary — where actions actually happen. This makes it resistant to reasoning errors, jailbreaks, and tool-output manipulation. It is a stronger alternative for teams that need deterministic security independent of model behavior, but it lacks a managed cloud console and requires command-line

Behind the Verdict

Agentsh fills a genuine gap in AI agent security: prompt-level guardrails are unreliable because they depend on the model complying. By intercepting syscalls directly, agentsh makes enforcement deterministic. We'd reach for it when deploying agents that have file system, network, or subprocess access — precisely the scenarios where prompt injections or jailbreaks are most dangerous. Where it bites: there's no SaaS dashboard, no graphical policy editor, and no managed cloud tier. Setup requires CLI familiarity and system administration knowledge — you install a binary, configure policies with files or flags, and run your agent as a child process. If your team isn't comfortable with command-line tools, this isn't for you. The project is open-source under Apache 2.0 with no paid tiers visible. That's great for transparency and cost, but enterprise support remains unclear. Compared to alternatives like prompt-level guardrails (e.g., Guardrails AI, NVIDIA NeMo Guardrails), agentsh operates at a fundamentally different layer. Prompt guardrails can be bypassed by jailbreaks or reasoning errors; agentsh cannot, because it controls what actually executes. However, those alternatives offer managed UIs and cloud consoles that agentsh lacks. In practice, we see agentsh fitting best in CI/CD pipelines, sandboxed agent platforms, and production deployments where security is critical. It's less suited for prototyping or low-code workflows. One caveat: the shell shim approach modifies the host's /bin/bash and /bin/sh, which is invasive. The harness wrapping method is safer, but requires running the entire agent under agentsh. Teams should test thoroughly before deploying in sensitive environments.

Researching Agentsh? Get your full AI stack in 60 seconds.

Free, no signup — tell us your goal and get tools matched to your budget & existing stack.

Use Cases

  • Prevent an AI agent from deleting critical system files even if prompted by a jailbreak.
  • Block unauthorized network connections to external hosts during agent execution.
  • Automatically approve read-only file operations while requiring human approval for destructive writes.
  • Log every subprocess spawned by the agent (e.g., npm install, pip) for security audit.
  • Steer dangerous commands like rm -rf to a quarantine directory instead of executing them.
  • Enforce that the agent never accesses environment variables containing API keys or secrets.

Limitations

  • No SaaS/cloud management dashboard — all configuration and monitoring are local.
  • The tool requires command-line expertise for installation and policy definition.
  • There is no built-in support for dynamic policy changes at runtime without restarting the agent workflow.
  • The open-source license (Apache 2.0) may not suit organizations requiring proprietary extensions.

12-month cost

Project the real annual outlay, including the implied monthly cost when only an annual tier is published.

Annual total
Free
Over 12 months
Effective monthly

Vendor list price only. Add-on usage, seat overages, and contract minimums are surfaced under Hidden costs & gotchas.

Featured Head-to-Head Comparisons

Popular in Security & Privacy

AudioEye

AudioEye

Automated web accessibility compliance platform for ADA and WCAG.

PaidTry
Push Security

Push Security

Browser security platform that stops AI-powered attacks and controls AI tool usage.

FreemiumTry
Sublime Security

Sublime Security

Agentic AI email security that stops BEC and phishing with full transparency.

Contact SalesTry

Frequently Asked Questions

Used Agentsh? Help shape our editorial sentiment research.