Runtime security for AI coding agents: policy enforcement, secret prevention, and supply-chain blocking.
Project description
Immunity Agent
Runtime security for AI coding agents. Policy enforcement, secret prevention, supply-chain blocking, and session auditing — all running locally on your machine.
What it does
AI coding agents execute shell commands, read files, call APIs, and install packages autonomously. Immunity Agent sits between the agent and the operating system to:
- Block dangerous actions before they run — destructive commands, privilege escalation, reverse shells, secret exfiltration
- Intercept package installs and score them for supply-chain risk before they touch your disk
- Prevent secrets from reaching the model — register a secret under a placeholder name; the hook substitutes the real value at execution time
- Log every tool call to a local SQLite store for session review and auditing
Supports Claude Code, Cursor, Windsurf, and more.
Install
pip install immunity-agent
Requires Python ≥ 3.8 and PyYAML (installed automatically).
Quick start
Install Warden hooks into your project (enforces policy on every agent tool call):
warden install-hooks --agent claude --workspace . --mode observe
Start in observe mode to log would-be blocks without interrupting the agent. Switch to enforce when ready:
warden install-hooks --agent claude --workspace . --mode enforce
Wrap your package manager to score installs before they run:
immunity npm install express
immunity pip install requests
immunity cargo add serde
Check a command against policy before running it:
warden check "rm -rf /"
# BLOCK destructive_command CRITICAL
Audit your workspace security posture:
warden audit
Scan AI tool configs for leaked secrets:
warden sweep
Launch the self-hosted dashboard (reads from local SQLite, no cloud):
warden serve # http://127.0.0.1:7070
Detection coverage
Warden ships with 56 rules covering the OWASP Top 10 for LLM Applications:
| Category | Severity | What it catches |
|---|---|---|
| Destructive command | CRITICAL | rm -rf /, mkfs, dd to disk |
| Secret exfiltration | CRITICAL | cat .env | curl, piping credentials outbound |
| RCE canary | CRITICAL | Reverse shells, bash -i /dev/tcp |
| Privilege escalation | CRITICAL | chmod +s, sudoers edits, useradd |
| Remote execution | HIGH | curl | bash, wget | sh |
| Secret access | HIGH | Reads of .env, .aws/credentials, .ssh/id_rsa |
| Path traversal | HIGH | ../../etc/passwd, /proc/self/environ |
| DB modification | HIGH | DROP TABLE, DELETE FROM in shell commands |
| Prompt injection | HIGH | ignore instructions, reveal system prompt |
| Risky write | MEDIUM | Edits to Dockerfile, CI workflows, package.json |
Rules are defined in YAML and fully customizable per-project.
Supply chain enforcement
The immunity CLI wraps your package manager and evaluates every install against live threat intelligence before it runs. Packages are scored on age, maintainer count, install scripts, and known IOCs. Ships with IOC coverage for recent attacks including the AntV hijacked-maintainer attack (May 2026) and the mini-shai-hulud campaign (May 2026).
immunity npm install @tanstack/react-router
BLOCK score 100 @tanstack/react-router
42 @tanstack/* packages compromised via CI/CD cache poisoning
Verdicts: < 30 allow · 30–59 warn · ≥ 60 block. IOC matches always block.
Secret cloaking
Register a secret under a placeholder name:
warden cloak add stripe_key
# prompts for the value — never stored in shell history
Reference it in agent instructions:
Run: curl https://api.stripe.com -H "Authorization: Bearer @@SECRET:stripe_key@@"
The pre-tool-use hook substitutes the real value at execution time. The post-tool-use hook scrubs any echoed value from output before it returns to the model.
Modes
| Mode | Behaviour |
|---|---|
observe |
Logs all findings, never blocks. Good for the first 24–48 h on a new workspace. |
enforce |
Blocks dangerous actions in real time before the agent executes them. |
Links
- Repository: https://github.com/PrismorSec/immunity-agent
- Docs: https://docs.prismor.dev
- Security playbook (loaded by the agent at session start): https://github.com/PrismorSec/security-playbook
- Dashboard: https://prismor.dev
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file immunity_agent-1.5.1.tar.gz.
File metadata
- Download URL: immunity_agent-1.5.1.tar.gz
- Upload date:
- Size: 210.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
772afaff81965511bb127274ec30f70f1e02056b58cfe72737637d1e6fa08591
|
|
| MD5 |
8798268acc2d6fb2e73c09d495216d1c
|
|
| BLAKE2b-256 |
ba7603fefc58618483b1c6da73316600dd201cbe3fa5c11b0cc74f3e3c0a3b42
|
File details
Details for the file immunity_agent-1.5.1-py3-none-any.whl.
File metadata
- Download URL: immunity_agent-1.5.1-py3-none-any.whl
- Upload date:
- Size: 235.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
721d823fd14c5ef73a61bf8de0c74124444f409d30850601bf0aac96f1bd35b0
|
|
| MD5 |
038bc071d16732dfb50faf9b882e6044
|
|
| BLAKE2b-256 |
72d1acef9fd102e5c4c9a04f950bf2bcbfba09bc1d5780bfb6500ebfe5f6b27f
|
