<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Vasu Dalal</title>
    <description>The latest articles on DEV Community by Vasu Dalal (@vdalal).</description>
    <link>https://dev.to/vdalal</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4001076%2Fc1ecd5b8-65f7-4be2-a41c-8811bdc5a715.png</url>
      <title>DEV Community: Vasu Dalal</title>
      <link>https://dev.to/vdalal</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/vdalal"/>
    <language>en</language>
    <item>
      <title>I catalogued 32 real AI-agent failures, then marked the ones we cannot stop</title>
      <dc:creator>Vasu Dalal</dc:creator>
      <pubDate>Thu, 16 Jul 2026 00:46:12 +0000</pubDate>
      <link>https://dev.to/vdalal/i-catalogued-32-real-ai-agent-failures-then-marked-the-ones-we-cannot-stop-40k8</link>
      <guid>https://dev.to/vdalal/i-catalogued-32-real-ai-agent-failures-then-marked-the-ones-we-cannot-stop-40k8</guid>
      <description>&lt;p&gt;Every agent-security vendor tells you what they block. Nobody tells you what they miss.&lt;/p&gt;

&lt;p&gt;That gap is the whole problem. "We stop prompt injection" is a claim you cannot check. You cannot run it, and you cannot tell it apart from the next company saying the same sentence. So security engineers do the rational thing and discard all of it.&lt;/p&gt;

&lt;p&gt;I published the opposite. It is called the &lt;strong&gt;ARE Incident Database&lt;/strong&gt;, and it is public: &lt;a href="https://aredb.org" rel="noopener noreferrer"&gt;https://aredb.org&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  What is in it
&lt;/h2&gt;

&lt;p&gt;32 agent failures that actually happened, each with a real source. A production database dropped during a code freeze. Twenty-five thousand documents deleted in the wrong environment. Credentials read and shipped to an external sink. A budget burned to zero in a loop.&lt;/p&gt;

&lt;p&gt;Each one gets a stable id (&lt;code&gt;ARE-2026-001&lt;/code&gt; through &lt;code&gt;ARE-2026-032&lt;/code&gt;), and each one is mapped to its category in the &lt;strong&gt;OWASP Agentic Security Initiative Top 10&lt;/strong&gt;, which is the peer-reviewed catalog of what goes wrong with agents. AREDB does not compete with it. OWASP owns the map. This is the cited incidents underneath it.&lt;/p&gt;

&lt;h2&gt;
  
  
  The part that makes it uncomfortable to publish
&lt;/h2&gt;

&lt;p&gt;Every entry carries a coverage flag, and the flag is about &lt;strong&gt;our own product&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;We block 23 of the 32 today. Two more are partial, and they say partial. That leaves &lt;strong&gt;six of the ten OWASP categories&lt;/strong&gt; covered at the action layer, and four that we do not cover:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;ASI06 Memory and context poisoning.&lt;/strong&gt; We strip the hidden characters attackers use to smuggle instructions into text. We do not read the meaning of the text itself, so this one is only partial, and we mark it partial.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ASI07 Insecure inter-agent communication.&lt;/strong&gt; This is about how agents talk to each other over the network, which a firewall that sits in front of actions never sees. Not ours.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ASI09 Human-agent trust.&lt;/strong&gt; This is a design and disclosure problem. There is no action for a firewall to catch. Not ours.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ASI10 Rogue agents.&lt;/strong&gt; We stop the dangerous actions, but we do not diagnose the misbehavior itself. Partial.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A firewall that claimed all ten would be lying, and every security engineer reading this already knows that. The four we do not cover are named in the registry, with a pointer to the discipline that does own them.&lt;/p&gt;

&lt;h2&gt;
  
  
  Do not trust any of it. Run it.
&lt;/h2&gt;

&lt;p&gt;Here is the part I actually care about. Every covered entry ships a repro you can execute. Not a screenshot, not a demo video, not a claim. A snippet.&lt;/p&gt;

&lt;p&gt;This is the Replit production wipe, reproduced against the free package:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;agentx-security-sdk
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;agentx_sdk&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;agentx_protect&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;is_block&lt;/span&gt;

&lt;span class="nd"&gt;@agentx_protect&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;agent_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;aredb-repro&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;action&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;db_write&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;run_sql&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;query&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;EXECUTED&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;          &lt;span class="c1"&gt;# the agent never gets here
&lt;/span&gt;
&lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;run_sql&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;DROP TABLE users;&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nf"&gt;is_block&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;        &lt;span class="c1"&gt;# True
&lt;/span&gt;&lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;                  &lt;span class="c1"&gt;# the block, and the safe path to take instead
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;No key. No gateway. No account. Your data stays on your machine. Sixty seconds, and you have checked one of my claims yourself.&lt;/p&gt;

&lt;h2&gt;
  
  
  The registry does not trust itself either
&lt;/h2&gt;

&lt;p&gt;A repro that nobody runs is a screenshot with extra steps. So the registry runs its own.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;test_repros.py&lt;/code&gt; scrapes the fenced Python block &lt;strong&gt;out of each published page&lt;/strong&gt; and executes it. That means the code a reader copies is byte-for-byte the code we prove blocks. It asserts three things, because "it blocked" is a weaker claim than it sounds:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;the block fires,&lt;/li&gt;
&lt;li&gt;the tool body never ran (a warning printed next to an action that still happens is not a block),&lt;/li&gt;
&lt;li&gt;the process exits clean (a crash is not a block either).&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;CI runs it on every push, and weekly on a schedule, because a repro can rot without anyone touching the repo. A future SDK release could quietly change behavior underneath a published claim, and I would rather find that out from a red badge than from you.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;So a coverage flag here is a tested fact, not just our opinion.&lt;/strong&gt; If a claim ever stops being true, the entry gets reclassified. The page does not get reworded.&lt;/p&gt;

&lt;h2&gt;
  
  
  What this is not
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Not a vulnerability database.&lt;/strong&gt; Publicly disclosed incidents only. If you have an undisclosed vulnerability in someone's product, report it to them, not to me.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Not a category system.&lt;/strong&gt; OWASP ASI is the standard one. This indexes onto it.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Not exhaustive.&lt;/strong&gt; It is a founding batch of 32. That is the honest size of it.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Not neutral about who built it.&lt;/strong&gt; AgentX-Core is the tool that does the blocking here, and I wrote both it and the registry. The defense against that is not a promise, it is the repro. Run it.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Two asks
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Try to break one.&lt;/strong&gt; Take an entry marked covered, run its snippet, and tell me it does not block. That is the most useful message you can send me, and it is the one I will act on fastest.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Send me the failure that bit you.&lt;/strong&gt; A real incident with a source. If it clears the bar, it gets an &lt;code&gt;ARE-2026-NNN&lt;/code&gt; id and it goes in. &lt;code&gt;CONTRIBUTING.md&lt;/code&gt; has the threshold, which is material consequence, not novelty.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Registry: &lt;a href="https://aredb.org" rel="noopener noreferrer"&gt;https://aredb.org&lt;/a&gt;&lt;br&gt;
Repo: &lt;a href="https://github.com/vdalal/ARE-Incident-Database" rel="noopener noreferrer"&gt;https://github.com/vdalal/ARE-Incident-Database&lt;/a&gt;&lt;br&gt;
Tell me what it missed: &lt;a href="https://discord.gg/PmWRTtaSx2" rel="noopener noreferrer"&gt;https://discord.gg/PmWRTtaSx2&lt;/a&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>security</category>
      <category>llm</category>
      <category>opensource</category>
    </item>
    <item>
      <title>The NSA wrote the MCP threat model. It never says what your agent does after the block.</title>
      <dc:creator>Vasu Dalal</dc:creator>
      <pubDate>Sat, 04 Jul 2026 09:02:18 +0000</pubDate>
      <link>https://dev.to/vdalal/the-nsa-wrote-the-mcp-threat-model-it-never-says-what-your-agent-does-after-the-block-3959</link>
      <guid>https://dev.to/vdalal/the-nsa-wrote-the-mcp-threat-model-it-never-says-what-your-agent-does-after-the-block-3959</guid>
      <description>&lt;p&gt;In May 2026 the NSA's AI Security Center published a Cybersecurity Information Sheet: &lt;em&gt;Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation&lt;/em&gt; (U/OO/6030316-26). It is the first government-authored threat model for MCP, and if you run agents through MCP servers, it is worth the read.&lt;/p&gt;

&lt;p&gt;Read it end to end and one word never appears: &lt;strong&gt;recover&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;That absence is the whole point of this post.&lt;/p&gt;

&lt;h2&gt;
  
  
  The part the NSA gets exactly right
&lt;/h2&gt;

&lt;p&gt;The report does not treat a tool call like an API request. It treats it like a loaded gun:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"It is prudent to treat any tool execution triggered via MCP as a potentially high-risk action."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;And it says where the check belongs. Not on the network, not in a scanner you run before deployment, but at runtime, in the process, at the moment the action would happen:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"if a server does not require access to sensitive file systems, model or data files, or internal networks, those access paths should be explicitly denied &lt;strong&gt;at runtime&lt;/strong&gt;."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;It goes further and describes output filtering that reads like a product spec:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"Each output must be treated as untrusted input to the next phase of the pipeline... Filtering should include content length checks, disallowed keyword scanning, rate limiting, and application specific policy enforcement... detection of indirect prompt injection or toolchain pivot attempts."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;If you have ever argued that an API gateway or a WAF cannot see an agent run &lt;code&gt;rm -rf&lt;/code&gt; or open its own database socket, the NSA just wrote that argument down for you. The enforcement point is inside the process, where text becomes action.&lt;/p&gt;

&lt;h2&gt;
  
  
  The half it leaves to you
&lt;/h2&gt;

&lt;p&gt;Here is what the report does not do. Every one of its mitigations is prevention: block, sandbox, validate, sign, log, scan, patch. Not one of them says what your agent does &lt;em&gt;after&lt;/em&gt; a dangerous call is stopped.&lt;/p&gt;

&lt;p&gt;In a normal web app that is fine. A blocked request returns a 403 and a human retries. In an autonomous run, that same block lands in the middle of a multi-step task and the agent gives up. You did not get safety. You traded one broken outcome for another, and you burned the tokens getting there.&lt;/p&gt;

&lt;p&gt;The NSA even names the requirement without offering an answer:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;bring MCP in line with secure practices "without stifling the flexibility and power that make it attractive in the first place."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Blocking the call and killing the run &lt;em&gt;is&lt;/em&gt; stifling it. The report says the block has to happen and says nothing about keeping the agent working through it. That gap is the interesting engineering problem, and it is where we spend our time.&lt;/p&gt;

&lt;h2&gt;
  
  
  Both halves, one line in mcp.json
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;agentx-mcp&lt;/code&gt; is a small stdio proxy. It spawns your real MCP server, relays the protocol untouched, and screens every &lt;code&gt;tools/call&lt;/code&gt; before it runs:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"mcpServers"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"database"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"command"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"agentx-mcp"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"args"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"npx"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"-y"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"your-real-mcp-server"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"..."&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;agentx-security-sdk   &lt;span class="c"&gt;# ships the agentx-mcp command&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;The block (the NSA's "high-risk action, denied at runtime"):&lt;/strong&gt; a deterministic floor catches the blatant catastrophic calls before they reach the server. A &lt;code&gt;DROP TABLE&lt;/code&gt;, an unscoped &lt;code&gt;DELETE&lt;/code&gt;, a secret-store read, an SSRF to &lt;code&gt;169.254.169.254&lt;/code&gt;, an &lt;code&gt;rm -rf&lt;/code&gt;. No API key, nothing leaves your machine, no model in the hot path for the block. It screens the protocol, so it works with any MCP-speaking stack. You can verify that part in two minutes without trusting me.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The half the report skips:&lt;/strong&gt; the block does not end the run. The agent gets back what it needs to correct, and on the MCP path its own model does the correcting, so the task finishes instead of dying on the block. You can watch the whole block-and-recover loop for free.&lt;/p&gt;

&lt;p&gt;Here it is end to end on a real MCP server. The task is "report the user count," and the query hides an injection: &lt;code&gt;SELECT name FROM users; DROP TABLE users;&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F0fubd6vwjgaq89tm9xpg.gif" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F0fubd6vwjgaq89tm9xpg.gif" alt="agentx-mcp blocks a stacked DROP TABLE at the proxy before it reaches the database, and the run still finishes with the user count, the table intact" width="760" height="630"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;DROP TABLE&lt;/code&gt; never reaches the database. The run keeps going and still returns the right answer: three users, table intact, task done.&lt;/p&gt;

&lt;h2&gt;
  
  
  What this is not
&lt;/h2&gt;

&lt;p&gt;To be clear about scope, because the report is broader than any one tool:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The NSA doesn't endorse products. The CSI carries an explicit disclaimer, and this post is not affiliated with them. The report describes the requirement. This is one way to meet part of it.&lt;/li&gt;
&lt;li&gt;The report also recommends message signing, token lifecycle controls, DLP proxies, and network scanning for rogue MCP servers. Those are real, and they are not this. &lt;code&gt;agentx-mcp&lt;/code&gt; is the runtime action-enforcement and output-filtering layer, plus the recovery the report leaves open. Compose it with the rest.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Try it, and tell me what it caught
&lt;/h2&gt;

&lt;p&gt;I want people running MCP servers against something real (a database, a filesystem, cloud, internal APIs) to wrap one and tell me two things:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What did it catch that would have bitten you?&lt;/li&gt;
&lt;li&gt;&lt;p&gt;What dangerous tool call did it miss? Try to stump it.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;&lt;a href="https://agentx-core.com/?utm_source=devto-nsa&amp;amp;utm_medium=article" rel="noopener noreferrer"&gt;Watch the catch-and-recover live, and try it&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Tell me what broke or what it missed:&lt;/strong&gt; &lt;a href="https://discord.gg/PmWRTtaSx2" rel="noopener noreferrer"&gt;https://discord.gg/PmWRTtaSx2&lt;/a&gt;&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The NSA said treat every tool call as high-risk and deny at runtime. Fair. The next question is what your agent does the second after you do.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>mcp</category>
      <category>security</category>
      <category>llm</category>
    </item>
    <item>
      <title>Is your MCP server safe? One line in mcp.json, and your agent recovers from its own DROP TABLE</title>
      <dc:creator>Vasu Dalal</dc:creator>
      <pubDate>Tue, 30 Jun 2026 01:25:47 +0000</pubDate>
      <link>https://dev.to/vdalal/is-your-mcp-server-safe-one-line-in-mcpjson-and-your-agent-recovers-from-its-own-drop-table-3k13</link>
      <guid>https://dev.to/vdalal/is-your-mcp-server-safe-one-line-in-mcpjson-and-your-agent-recovers-from-its-own-drop-table-3k13</guid>
      <description>&lt;p&gt;If you run an AI agent through MCP (Claude Code, Cursor, or any MCP client), your tool calls now flow through MCP servers: a filesystem server, a database server, a shell. That standardization is great. It also means a single hallucinated or prompt-injected tool call can do real, irreversible damage, and the model does not know a destructive call from a safe one until it is already making it.&lt;/p&gt;

&lt;p&gt;So people ask: &lt;strong&gt;is this MCP server safe?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Here is the better question. Your agent will, eventually, send an MCP server something destructive. The question is not only whether you block it. It is whether the run survives the block.&lt;/p&gt;

&lt;h2&gt;
  
  
  Block it with one line. No code, no key.
&lt;/h2&gt;

&lt;p&gt;Wrap any MCP server with &lt;code&gt;agentx-mcp&lt;/code&gt;. It is a small stdio proxy: it spawns the real server, relays the MCP protocol untouched, and screens every &lt;code&gt;tools/call&lt;/code&gt; before it runs. One line in your &lt;code&gt;mcp.json&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"mcpServers"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"database"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"command"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"agentx-mcp"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"args"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"npx"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"-y"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"your-real-mcp-server"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"..."&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;agentx-security-sdk   &lt;span class="c"&gt;# this ships the agentx-mcp command&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Now every tool call the agent makes is checked by a deterministic floor first. A &lt;code&gt;DROP TABLE&lt;/code&gt;, an unscoped &lt;code&gt;DELETE&lt;/code&gt;, a secret-store read, an SSRF to &lt;code&gt;169.254.169.254&lt;/code&gt;, an &lt;code&gt;rm -rf&lt;/code&gt;: all blocked before they reach the server. No API key, nothing leaves your machine, no LLM in the hot path for the block. It works with any MCP-speaking stack, because it screens the protocol, not your code.&lt;/p&gt;

&lt;p&gt;That is the part you can verify in two minutes without trusting me.&lt;/p&gt;

&lt;h2&gt;
  
  
  A block that kills the run is still a broken agent
&lt;/h2&gt;

&lt;p&gt;Most "is it safe" answers stop here: the dangerous call is blocked, the tool returns an error, and your agent gives up. A hard 403 in the middle of an autonomous run is its own kind of failure. The task does not get done. You just traded one broken outcome for another.&lt;/p&gt;

&lt;h2&gt;
  
  
  So agentx-mcp coaches the agent instead of killing it
&lt;/h2&gt;

&lt;p&gt;When the shield blocks a &lt;code&gt;tools/call&lt;/code&gt;, &lt;code&gt;agentx-mcp&lt;/code&gt; does not return a dead error. It returns a &lt;strong&gt;coaching&lt;/strong&gt; tool error that names what was unsafe and points at a safe path. Your agent reads it on its next turn, revises, and tries a safe version. The run keeps going.&lt;/p&gt;

&lt;p&gt;Here is the loop, end to end, on a real MCP server:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F1bazbwd8brljks5qdb3y.gif" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F1bazbwd8brljks5qdb3y.gif" alt=" " width="760" height="630"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The agent's task is "report the user count." Its query hides an injection: &lt;code&gt;SELECT name FROM users; DROP TABLE users;&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;agentx-mcp&lt;/code&gt; blocks it at the proxy. The call never reaches the database. The agent gets back a coaching error: blocked, mass destructive intent, revise to a safe read.&lt;/li&gt;
&lt;li&gt;The agent revises to &lt;code&gt;SELECT COUNT(*) FROM users&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;That runs. Three users. The table is intact. The task is done.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The catch is table stakes. The recovery is the point: your agent finishes the job instead of dying on the block.&lt;/p&gt;

&lt;p&gt;This recovery is keyless and in-band. The agent doing the self-correcting is &lt;strong&gt;your&lt;/strong&gt; agent, your MCP client's own model, reading the coaching. There is no extra key and no gateway in this loop. (A richer, gateway-coached version is on the roadmap, but the keyless coaching above is what ships today.)&lt;/p&gt;

&lt;h2&gt;
  
  
  What it catches today, and how
&lt;/h2&gt;

&lt;p&gt;The floor is deterministic, so the block is a rule, not a vibe:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;destructive SQL: &lt;code&gt;DROP TABLE&lt;/code&gt;, &lt;code&gt;TRUNCATE&lt;/code&gt;, unscoped &lt;code&gt;DELETE&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;secret and API-key bulk reads&lt;/li&gt;
&lt;li&gt;SSRF and cloud-metadata fetches (&lt;code&gt;169.254.169.254&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;shell and filesystem teardown: &lt;code&gt;rm -rf&lt;/code&gt;, &lt;code&gt;curl | sh&lt;/code&gt;, path traversal&lt;/li&gt;
&lt;li&gt;runaway tool-call loops&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;No model inference for the floor, which is why it runs with no key and adds negligible latency. It is the blatant-catastrophic floor on purpose: the things you never want an agent to do, blocked deterministically, every time.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fxjxkuxtuhr8fwmcqdbty.gif" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fxjxkuxtuhr8fwmcqdbty.gif" alt=" " width="760" height="630"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Try it, and tell me what it caught
&lt;/h2&gt;

&lt;p&gt;I am looking for people running MCP servers against something real (a database, a filesystem, cloud, internal APIs) to wrap one and tell me two things:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What did it catch that would have bitten you?&lt;/li&gt;
&lt;li&gt;&lt;p&gt;What dangerous tool call did it miss? Try to stump it.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;&lt;a href="https://agentx-core.com/?utm_source=devto-mcp-safe&amp;amp;utm_medium=article" rel="noopener noreferrer"&gt;Watch the catch-and-recover live, and try it&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Tell me what broke or what it missed:&lt;/strong&gt; &lt;a href="https://discord.gg/PmWRTtaSx2" rel="noopener noreferrer"&gt;https://discord.gg/PmWRTtaSx2&lt;/a&gt;&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If your agent never touches anything irreversible, ignore me. If it does, wrapping one MCP server is one line, and &lt;code&gt;DROP TABLE&lt;/code&gt; is a bad way to learn this the hard way.&lt;/p&gt;

&lt;h2&gt;
  
  
  Try it, and tell me what it caught
&lt;/h2&gt;

&lt;p&gt;I am looking for people running MCP servers against something real (a database, a filesystem, cloud, internal APIs) to wrap one and tell me two things:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What did it catch that would have bitten you?&lt;/li&gt;
&lt;li&gt;&lt;p&gt;What dangerous tool call did it miss? Try to stump it.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Watch the catch-and-recover live, and try it:&lt;/strong&gt; &lt;a href="https://bit.ly/agentfirewall" rel="noopener noreferrer"&gt;https://bit.ly/agentfirewall&lt;/a&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Tell me what broke or what it missed:&lt;/strong&gt; &lt;a href="https://discord.gg/PmWRTtaSx2" rel="noopener noreferrer"&gt;https://discord.gg/PmWRTtaSx2&lt;/a&gt;&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If your agent never touches anything irreversible, move along. If it does, wrapping one MCP server is one line, and &lt;code&gt;DROP TABLE&lt;/code&gt; is a bad way to learn this the hard way.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>mcp</category>
      <category>security</category>
      <category>llm</category>
    </item>
    <item>
      <title>I let my AI agent provision cloud infra. Then I made sure it couldn't go bankrupt doing it.</title>
      <dc:creator>Vasu Dalal</dc:creator>
      <pubDate>Fri, 26 Jun 2026 21:37:06 +0000</pubDate>
      <link>https://dev.to/vdalal/i-let-my-ai-agent-provision-cloud-infra-then-i-made-sure-it-couldnt-go-bankrupt-doing-it-g1p</link>
      <guid>https://dev.to/vdalal/i-let-my-ai-agent-provision-cloud-infra-then-i-made-sure-it-couldnt-go-bankrupt-doing-it-g1p</guid>
      <description>&lt;p&gt;A few days back I wrote about giving an autonomous agent database access and building a firewall so it couldn't &lt;code&gt;DROP TABLE&lt;/code&gt; prod. Same lesson, new surface: this time the agent had &lt;strong&gt;cloud credentials&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The failure mode isn't a destructive command here. It's spend. An agent pointed at a networking task can scan a whole range looking for hosts, then spin up a fleet of instances to do it faster. Every individual call is "authorized," your IAM role said yes. The bill is&lt;br&gt;
what eventually says no.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;## Two shapes, two right answers&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The interesting part is that these are not the same kind of problem, so they don't get the same verdict.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1. The scan is never legitimate as an agent tool call.&lt;/strong&gt; An &lt;code&gt;nmap -sS -p- 10.0.0.0/16&lt;/code&gt; or a &lt;code&gt;masscan&lt;/code&gt; across a network is reconnaissance and abusive egress. There's no benign version of an agent sweeping a network at scale, so it gets &lt;strong&gt;hard-blocked&lt;/strong&gt;, deterministically, before the call runs. (A scan of your own &lt;code&gt;localhost&lt;/code&gt; is a dev check, so that's exempt.)&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;2. The provisioning might be totally fine.&lt;/strong&gt; Spinning up 50 instances could be a real scale-out, or a runaway loop burning money. You can't tell from the action alone, only from the consequence. So instead of blocking it, AgentX &lt;strong&gt;pauses it for a human&lt;/strong&gt;: a 202, "held for approval," routed to whoever owns the budget. Block the thing that's never okay, escalate the thing that's sometimes okay. Gate on consequence, not identity.&lt;/p&gt;

&lt;p&gt;Both checks are zero-LLM. No model in the hot path means no latency tax and nothing to talk out of it. A runaway fleet should be caught by a rule, not a vibe.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;## The bigger thing this closes&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;We keep a catalog of real, documented agent failures and triage each one: is it something an &lt;strong&gt;action&lt;/strong&gt; firewall can deterministically catch, or is it someone else's category (output hallucination, content safety, model internals)? We only build for the coverable ones, and we&lt;br&gt;
flag the rest honestly instead of faking a signature.&lt;/p&gt;

&lt;p&gt;With this release, the coverable list is &lt;strong&gt;done&lt;/strong&gt;. Every failure shape an action firewall can actually own now has a deterministic block or a human-in-the-loop escalation behind it. The honesty about what we &lt;em&gt;don't&lt;/em&gt; cover is the point, it's how you know the coverage claims are real.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;## Verify it in 2 minutes&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The network checks above run in the gateway, but the part you can prove on your own machine with no key and no account is the deterministic floor:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;agentx-security-sdk
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;agentx_sdk&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;agentx_protect&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;is_block&lt;/span&gt;

&lt;span class="nd"&gt;@agentx_protect&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;agent_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;demo&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;run_sql&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;query&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;db_session&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="bp"&gt;None&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;EXECUTED (DANGER):&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;query&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;   &lt;span class="c1"&gt;# never reached
&lt;/span&gt;    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;ok&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="bp"&gt;True&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;run_sql&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;query&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Please clean up: DROP TABLE users;&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="nf"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;BLOCKED:&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nf"&gt;is_block&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;       &lt;span class="c1"&gt;# -&amp;gt; True, offline, no key
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One decorator. The catastrophic call is intercepted before your function body runs.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;## Why I'm posting&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Same ask as last time: I want a handful of people running &lt;strong&gt;real&lt;/strong&gt; Python agents against live systems, a DB, cloud, files, money, ideally unattended, to point this at their stack and tell me where it's wrong. What would have bitten you? What shape is it still missing?&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Try it live (keyless): [(&lt;a href="https://agentx-core.com/?utm_source=devto&amp;amp;utm_medium=article)" rel="noopener noreferrer"&gt;https://agentx-core.com/?utm_source=devto&amp;amp;utm_medium=article)&lt;/a&gt;]&lt;/li&gt;
&lt;li&gt;Community / tell me what broke: &lt;a href="https://discord.gg/PmWRTtaSx2" rel="noopener noreferrer"&gt;https://discord.gg/PmWRTtaSx2&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;Or just reply here.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If your agent never touches anything irreversible or expensive, say pass. If it does, the repro is two minutes, and a runaway cloud bill is a bad way to find out the hard way.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>python</category>
      <category>security</category>
      <category>llm</category>
    </item>
    <item>
      <title>I gave my AI agent database access. Then I built a firewall so it couldn't wipe prod.</title>
      <dc:creator>Vasu Dalal</dc:creator>
      <pubDate>Wed, 24 Jun 2026 18:46:26 +0000</pubDate>
      <link>https://dev.to/vdalal/i-gave-my-ai-agent-database-access-then-i-built-a-firewall-so-it-couldnt-wipe-prod-83c</link>
      <guid>https://dev.to/vdalal/i-gave-my-ai-agent-database-access-then-i-built-a-firewall-so-it-couldnt-wipe-prod-83c</guid>
      <description>&lt;p&gt;A few months ago I gave an autonomous agent write access to a real database. It was a LangChain-style loop — plan, call a tool, observe, repeat and one of the tools ran SQL.&lt;/p&gt;

&lt;p&gt;It worked great in the demo. Then I watched it, during a "clean up the test rows" task, generate this:&lt;/p&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;
sql
DROP TABLE users;

It didn't run (staging, and I was watching). But the lesson landed: the LLM doesn't know the difference between a destructive command and a safe one until it's already calling the tool. And by then your code is one cursor.execute() away from an incident.

**"AI firewalls" guard the wrong side**

When I went looking for protection, almost everything in the "LLM security" space guards the inbound side — prompt injection, jailbreaks, PII in the input. Useful, but it's the wrong end for an autonomous agent. My problem wasn't a malicious prompt. It was a well-meaning agent emitting a catastrophic action.

What I actually wanted was a firewall on the outbound side; the tool calls themselves:

- destructive SQL (DROP TABLE, unscoped DELETE)
- writes to prod / ALTER ... DROP COLUMN
- SSRF and cloud-metadata fetches (169.254.169.254)
- bulk secret / API-key reads
- runaway retry loops draining your token budget

And critically: I wanted the catch to be deterministic. If your safety layer is itself an LLM call, it's slower, costs money, and can be talked out of it. A DROP TABLE should be blocked by a rule, not a vibe.

**The 2-minute version you can run right now**

I ended up building this and putting the SDK on PyPI. Here's the whole thing; it blocks a live DROP TABLE offline, with no API key, using built-in policy seeds:

pip install agentx-security-sdk

from agentx_sdk import agentx_protect, is_block

@agentx_protect(agent_id="demo")
def run_sql(query: str, db_session=None):
    print("EXECUTED (DANGER):", query)   # never reached
    return {"ok": True}

result = run_sql(query="Please clean up: DROP TABLE users
print("BLOCKED:", is_block(result))       # -&amp;gt; True, offline, no key

One decorator on your tool function. The destructive call gets intercepted before your
function body runs, and you get a block result back insteateway,
no account, no LLM in the hot path as it runs entirely on your machine.

▎ Note: the package is agentx-security-sdk (import path agentx_sdk), version ≥ 0.3.11.

**How the block works**

The decorator wraps your tool call and runs the arguments through a layer of deterministic
checks before execution including pattern + structural rules for s
(destructive SQL, prod writes, SSRF targets, secret-store reads, no-progress loops). If a rule trips, the call returns a block instead of executing. No  the floor, which is why it works with no key and adds negligible latency.

There's more above that floor — it can escalate ambiguous-but-dangerous actions for a human-in-the-loop decision, circuit-break a runaway loop, reframe and retry the run instead of just dying. But the part I want you to be able to verify in 2 minutes without trusting me is the whole point of leading with it.

**Why I'm posting this**
I'm looking for a handful of people running real Python agents; something that touches a
live DB, cloud, files, or money, ideally unattended to stack and
tell me where it's wrong. Not a launch, not a sales pitch. I want to know:

- Does it catch the thing that would've bitten you?
- What dangerous action shape is it missing?

If you've ever thought "what happens when this agent does something irreversible at 2am," I'd genuinely like your take.

- **[Try it live (keyless quickstart)](https://agentx-core.com/?utm_source=devto-firewall&amp;amp;utm_medium=article)**
- Community / tell me what broke: https://discord.gg/PmWR
- Or just reply here. Bonus points for the war story that made you click.

If your agent never touches anything irreversible, ignore me. If it does, the repro's two minutes, and DROP TABLE is a bad way to find out  the hard way.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

</description>
      <category>ai</category>
      <category>python</category>
      <category>security</category>
      <category>llm</category>
    </item>
  </channel>
</rss>
