Architecture
Sits between agents and tools
Airlock is a permissions-aware gateway that sits between your AI agents and the tools they use. Control access with allowlists, require human approval for sensitive actions, and audit every single call — all through one config file.
230+ malicious skills on ClawHub. Zero-click RCE in the gateway. Your agent has shell access and reads untrusted content. What could go wrong?
npx airlock-bot --config gateway.yaml
Untrusted content — web pages, emails, documents, tool descriptions — can instruct your agent to take unauthorized actions with its available tools.
The agent misinterprets intent, hallucinates parameters, or calls the wrong tool — sending a message to the wrong person, deleting the wrong file, pushing to the wrong branch.
Today, agents either have full access to a tool or none at all. There's no way to allow reading but gate writing, or auto-approve safe commands while requiring approval for dangerous ones.
Airlock speaks the Model Context Protocol. Any MCP client connects, receives a filtered tool surface based on its agent profile, and all permission logic applies identically — regardless of the client.
Define exactly which tools each agent can see. Tools not in the allowlist are completely hidden — the agent doesn't even know they exist. Supports wildcards like github/*.
Flag sensitive tools for manual approval. When an agent tries to create a PR or push code, you get a notification on Telegram, Slack, or your terminal. Approve or deny with a single reply.
Every tool call is logged to SQLite — agent, tool, parameters, decision, latency. Redact sensitive fields automatically. Query your logs with a built-in API.
Make HTTP requests and run shell commands through the gateway. Domain allowlists, blocked hosts, and command-level policies (allow/deny/require approval) — all enforced at the infrastructure level.
Works with any MCP client — Claude Code, Cursor, OpenClaw, or your own. Connects over SSE or stdio. The agent just sees a normal MCP tool server.
Everything lives in gateway.yaml. Define your MCPs, agent profiles, approval rules, and exec policies in one place. Hot-reloads on save — no restarts needed.
Each agent gets a tailored tool manifest. Your coding agent sees filesystem and git tools. Your monitoring agent sees Sentry and PostHog. Your research agent sees HTTP GET and nothing else. Tools outside the allowlist are invisible.
Sensitive actions pause and wait. The agent calls github/create_pr and the gateway holds the connection, sends you a notification with the details, and waits for your approve or deny. The agent just experiences a slow tool call — no special client support needed.
Every call — allowed, approved, denied, timed out, blocked — is recorded with timestamps, parameters, decisions, and latency. Sensitive fields are automatically redacted. Query your audit log to understand exactly what your agents have been doing.
When an agent hits a gated action, you get a notification with all the context you need. Approve or deny in seconds — from Telegram, Slack, or your terminal.
APPROVE? [X9Y8Z7] Agent: claude-code Tool: exec/run Command: git push origin feature/auth-fix > approve X9Y8Z7 Approved. Executing...
Define your downstream MCPs, agent profiles, approval rules, and security policies in a single YAML file. Hot-reloads on save.
agents:
helena: # Personal assistant agent
allow:
- filesystem/read_file
- filesystem/list_directory
- github/* # Wildcard: all GitHub tools
- notion/*
- http/get
- exec/run
hitl: # These require your approval
- github/create_pr
- github/push
- notion/update_page
- http/post
- exec/run
monitoring: # Read-only agent, no HITL needed
allow:
- sentry/list_issues
- posthog/*
- http/get
hitl: []mcps:
filesystem:
transport: stdio
command: npx
args: ["@modelcontextprotocol/server-filesystem", "/workspace"]
github:
transport: stdio
command: npx
args: ["@modelcontextprotocol/server-github"]
env:
GITHUB_TOKEN: ${GITHUB_TOKEN}
slack:
transport: sse
url: http://localhost:3001/sseagents:
helena:
exec:
shell: /bin/bash
timeout: 30
allow: # Auto-approved commands
- "git status"
- "git diff *"
- "git log *"
- "ls *"
- "cat *"
hitl: # Require approval
- "git commit *"
- "git push *"
- "npm *"
deny: # Always blocked
- "rm -rf *"
- "sudo *"
- "curl *"hitl:
defaults:
timeout: 300 # 5 min default
timeouts:
"github/create_pr": 3600 # PRs get 1 hour
"exec/*": 120
providers:
- type: telegram
bot_token: ${TELEGRAM_BOT_TOKEN}
chat_id: ${TELEGRAM_CHAT_ID}
# Or use Slack
# - type: slack
# webhook_url: ${SLACK_WEBHOOK}
# Or use the terminal for dev
# - type: stdio# gateway.yaml — start with the example and customize
curl -o gateway.yaml https://raw.githubusercontent.com/airlock-dev/airlock/main/examples/gateway.yaml# SSE mode (for network clients like Cursor, OpenClaw)
npx airlock-bot --config gateway.yaml
# Or stdio mode (for Claude Code)
npx airlock-bot --config gateway.yaml --profile claude-code# In your MCP client config, connect to the gateway:
http://localhost:3000/agents/helena # SSE endpointRoute your OpenClaw instance through Airlock. Gate shell commands, require approval before sending messages, and block skills from exfiltrating data to unknown domains.
Give Claude Code full filesystem and git access, but gate git push, rm, and deployments behind human approval.
A read-only agent that watches Sentry and PostHog — no write tools exposed, no HITL needed, fully autonomous.
An agent that can fetch any URL via HTTP GET but has zero access to write tools, exec, or internal services.
Unauthorized tools are omitted from the manifest. The agent doesn't know they exist.
Unrecognized tool calls and unmatched commands are denied by default.
Agents can't reach the approval API — localhost is blocked for HTTP tools and curl is denied in exec policies.
Built-in HTTP tools respect a blocked hosts list that prevents access to local network, internal services, and the gateway itself.
Downstream tool descriptions are sanitized. Override descriptions in config to prevent prompt injection via tool manifests.
Pending HITL approvals are persisted to SQLite. Restart the gateway and pick up where you left off.
Airlock is open source and free. Set it up in minutes.
npx airlock-bot --config gateway.yaml