Your AI Agent Just Ran `rm -rf /` in Production — Here's How to Prevent It

Alexander Yudin — Fri, 15 May 2026 20:40:50 +0000

AI coding agents are incredible. Claude Code, Cursor, Copilot, Windsurf — they write code, debug, deploy. But they also get shell access to your servers.

And sometimes, they make mistakes.

A misaligned instruction, a vague prompt, or a malicious input in a codebase — and your AI agent runs rm -rf /var/log or drops a production database.

The Problem: Zero Governance

When you give an AI agent MCP (Model Context Protocol) access, it can:

Execute arbitrary shell commands
Read and write files anywhere
Access databases and APIs
Manage your infrastructure

With zero guardrails. No approval. No audit trail. No rollback.

This isn't theoretical. People are already reporting agents running destructive commands in production. The more powerful agents become, the more damage a single bad instruction can cause.

Enter FlowLink: Governance for MCP Agents

FlowLink is a governance layer specifically built for the Model Context Protocol. It sits between your AI agents and your infrastructure:

1. Policy Engine

Define what agents can and cannot do. Regex patterns, ML-learned patterns, per-agent and per-environment policies.

2. Real-time Risk Scoring

Every command gets a risk score from 0 to 100. Low risk = auto-approve. High risk = block or ask a human.

3. Approval Workflows

Three modes for every policy: auto (free pass), soft_ask (warned), hard_ask (human must approve via dashboard, Telegram, or Slack).

4. Sandbox Execution

Run dangerous commands in complete isolation: network namespace, read-only root filesystem, PID namespace, resource limits, timeout enforcement.

5. Complete Audit Trail

Every action logged, tamper-proof. Compliance-ready for SOC 2, FSTEC, GDPR. Full forensics timeline with blast radius analysis.

6. Canary Tokens

Deploy decoy files (fake AWS keys, fake API tokens). When an agent accesses them — instant alert.

Quick Start (5 minutes)

Add FlowLink as an MCP server in your config:

{
  "mcpServers": {
    "flowlink": {
      "url": "https://flowlink.flow-masters.ru/mcp",
      "headers": {
        "Authorization": "Bearer flk_live_YOUR_API_KEY"
      }
    }
  }
}

Now every command goes through governed MCP calls with 15 tools: exec, deploy, read, write, policy, approve, secrets, audit, and more.

Real-World Scenarios

Scenario 1: Block Destructive Commands
Agent tries: rm -rf /var/log
FlowLink: Blocked. Risk score: 95. Policy: deny destructive commands.

Scenario 2: Catch Credential Leaks
Agent reads a file containing AWS keys and tries to exfiltrate them.
FlowLink: Blocked. Exfiltration detected. Canary token triggered.

Scenario 3: Human Approval for Production
Agent tries: kubectl apply -f deployment.yaml --namespace=production
FlowLink: Pending approval. Risk score: 72. Notification sent to admin via Telegram.

Scenario 4: Sandbox Testing
Agent needs to run an untrusted script.
FlowLink: Executed in sandbox (isolated network, read-only FS, 30s timeout).

Why Not Just Remove Shell Access?

Because agents are 10x more useful WITH shell access. They deploy code, debug production, manage infrastructure. The goal isn't to remove access — it's to govern it. Think of FlowLink as a firewall, not a disconnect switch.

Architecture

AI Agents (MCP)  →  FlowLink  →  Your Infrastructure
                    - Policy Engine
                    - Risk Scorer
                    - Audit Logger
                    - Sandbox
                    - Approval Queue
                    - E2EE Relay

Supports Claude Code, Cursor, Copilot, Windsurf out of the box.

Pricing

Free: Core security (policies, risk scoring, audit trail)
Starter: Enhanced visibility (500 req/min)
Team: Compliance focus (RBAC, forensics, 1500 req/min)
Business: AI features (Red Team, Ops AI, 4000 req/min)
Enterprise: On-prem, custom, unlimited

DEV Community: Alexander Yudin