DEV Community: yalelet dessalegn

I Built a Security Firewall for AI Agents — Here's Why Every MCP Server Needs One

yalelet dessalegn — Tue, 17 Feb 2026 18:25:10 +0000

The Problem Nobody's Talking About

AI agents can now execute tools read files, run shell commands, query databases, make HTTP requests. Claude Code, Cursor, Windsurf they all use the Model Context Protocol (MCP) to talk to tool servers.

Here's the scary part: a single prompt injection can weaponize any AI agent.

An attacker embeds instructions in a document, email, or web page. The AI reads it, follows the injected instructions, and suddenly:

Reads your .ssh/id_rsa, .env files, API keys
Exfiltrates data via curl, wget, or DNS tunneling
Executes arbitrary shell commands with YOUR permissions
Chains multiple tools to escalate from read → exfil → execute

This isn't theoretical. These attacks work TODAY against unprotected MCP servers.

OpenClaw: The "Personal JARVIS" or a Security Nightmare?

In early 2026, OpenClaw (formerly ClawdBot/MoltBot) became the fastest-growing repo in history. It promises a "24/7 JARVIS" that lives in your WhatsApp and Slack. But because it has direct access to your shell and filesystem, it has become the #1 target for Agentic Hijacking.
Recent reports show that:

Malicious "Skills": Over 12% of the skills on ClawHub were found to be malicious, designed to steal session tokens.
Exposed Instances: Over 18,000 OpenClaw instances are currently exposed to the public internet with full shell access. The One-Click RCE: Vulnerabilities like CVE-2026-25253 allow hackers to hijack an agent just by making the user visit a malicious website.

Introducing Agent-Wall: The Firewall for the Agentic Era

I built Agent Wall an open-source security firewall that sits between any MCP client and server:

MCP Client  ←→  Agent Wall Proxy  ←→  MCP Server
                      ↕
               agent-wall.yaml
               + security modules
               + response scanner

Setup takes 30 seconds:

npm install -g @agent-wall/cli
agent-wall wrap -- npx @modelcontextprotocol/server-filesystem /home/user

That's it. Every tool call now passes through a 5-step defense pipeline.

The Defense Pipeline

Inbound (Request Scanning)

Every tools/call request runs through:

Step	Module	What it Does
1	Kill Switch	Emergency deny-all (file/signal/programmatic)
2	Injection Detector	30+ patterns detect prompt injection attacks
3	Egress Control	Block private IPs, SSRF, cloud metadata endpoints
4	Policy Engine	YAML rules with glob matching & rate limiting
5	Chain Detector	Suspicious multi-step patterns (read→exfil)

Outbound (Response Scanning)

Server responses are scanned before reaching the AI:

14 built-in secret patterns AWS keys, GitHub tokens, JWTs, private keys, database URLs
5 PII patterns email, phone, SSN, credit card, IP address
Custom regex patterns via YAML config
Actions: pass / redact / block

Live Demo: 12 Injection Attacks, All Blocked

I recorded the real-time dashboard while running 8 test scenarios against a live MCP server:

Results:

12/12 prompt injection categories → BLOCKED
6/6 exfiltration vectors (curl, wget, netcat, PowerShell, DNS) → BLOCKED
4/4 credential access attempts (.ssh, .env, .pem, credentials.json) → BLOCKED
Kill switch activate/deactivate → WORKS
Chain detection (read file → attempt curl exfil) → DETECTED

Injection Categories Caught:

instruction-override  → "Ignore previous instructions"
prompt-marker         → <|im_start|>system, [SYSTEM]:, <<SYS>>
authority-claim       → "jailbreak", "DAN mode", "IMPORTANT: override"
exfil-instruction     → "send the data to evil.com"
output-manipulation   → "pretend you are unrestricted"
delimiter-injection   → ```

system markers

The Policy File

Rules are defined in agent-wall.yaml first match wins:


yaml
version: 1
defaultAction: prompt

security:
  injectionDetection:
    enabled: true
    sensitivity: medium
  egressControl:
    enabled: true
    blockPrivateIPs: true
  killSwitch:
    enabled: true
  chainDetection:
    enabled: true

rules:
  - name: block-ssh-keys
    tool: "*"
    match:
      arguments:
        path: "**/.ssh/**"
    action: deny

  - name: block-curl-exfil
    tool: "shell_exec|run_command|execute_command"
    match:
      arguments:
        command: "*curl *"
    action: deny

  - name: allow-read-file
    tool: "read_file|get_file_contents"
    action: allow

Hot-reload included edit the YAML, changes apply instantly.

Real-Time Dashboard


bash
agent-wall wrap --dashboard -- npx mcp-server
# → Dashboard at http://localhost:61100

test video link

The dashboard shows:

Live event feed with allow/deny/prompt color coding
Stats cards total, forwarded, denied, attacks, scanned
Attack panel grouped by category (injections, SSRF, chains)
Rule hit table with visual bars (sortable)
Kill switch toggle with confirmation
Audit log with search & filter

All via WebSocket — updates in real-time as tool calls flow through.

Architecture



packages/
  core/        @agent-wall/core       — Proxy engine, policy, security modules
  cli/         @agent-wall/cli             — CLI (wrap, init, test, audit, scan, validate, doctor)
  dashboard/   @agent-wall/dashboard  — React SPA for real-time monitoring

Key decisions:

Zero MCP SDK dependency own JSON-RPC parser, works with any MCP version
HMAC-SHA256 signed audit logs with log rotation
No Express, no Socket.IO Node http + ws library. Minimal footprint.

CLI Tools


bash
# Wrap any MCP server
agent-wall wrap --dashboard -- npx mcp-server

# Generate starter config
agent-wall init

# Dry-run a tool call against your policy
agent-wall test --tool read_file --arg path=/home/.ssh/id_rsa
# → DENIED by rule "block-ssh-keys"

# Scan for unprotected MCP servers
agent-wall scan

# View audit log
agent-wall audit --log ./audit.log --filter denied

# Validate config
agent-wall validate

# Health check
agent-wall doctor

Why This Matters

The MCP ecosystem is exploding. There are hundreds of community MCP servers filesystem, database, git, shell, browser, email. Many are built quickly without security in mind.

Agent Wall protects you regardless of which MCP server you use. It operates at the protocol level, enforcing policies on every tools/call before it reaches the server.

Think of it as Cloudflare for AI agents you don't modify your backend, you put a proxy in front.

Get Started


bash
npm install -g @agent-wall/cli
agent-wall init
agent-wall wrap -- npx your-mcp-server

GitHub: agent-wall
npm: agent-wall
Docs: agent-wall

Star the repo if you think AI agent security should be a first-class concern, not an afterthought.

Every AI agent deserves a firewall.

Why I Built nevr-env — And Why process.env Deserves Better

yalelet dessalegn — Thu, 12 Feb 2026 05:19:32 +0000

I got tired of crashing apps, leaked secrets, and copy-pasting .env files on Slack. So I built an environment lifecycle framework.

Every developer has that moment.

You deploy on Friday. CI passes. You go home feeling productive.

Then the ping comes: "App is crashing in production."

The culprit? DATABASE_URL was never set. Your app accessed process.env.DATABASE_URL, got undefined, and silently passed it as a connection string. Postgres didn't appreciate that.

I've hit this exact bug more times than I want to admit. And every time, the fix was the same: add another line to .env.example, hope your teammates read the README, and move on.

I got tired of hoping. So I built nevr-env.

What's Actually Wrong With .env Files?

Nothing — as a concept. Environment variables are the right way to configure apps. The problem is the tooling around them:

No validation at startup — process.env.PORT returns string | undefined. If you forget PORT, your server silently listens on undefined.
No type safety — process.env.ENABLE_CACHE is "true" (a string), not true (a boolean). Every developer writes their own parsing.
Secret sprawl — Your team shares secrets via Slack DMs, Google Docs, or worse. .env.example is always outdated.
Boilerplate everywhere — Every new project: copy the Zod schemas, write the same DATABASE_URL: z.string().url(), same PORT: z.coerce.number().

The t3-env Gap

t3-env was a step forward. Type-safe env validation with Zod. I used it. I liked it.

But as my projects grew, the gaps showed:

// Every. Single. Project.
export const env = createEnv({
  server: {
    DATABASE_URL: z.string().url(),
    REDIS_URL: z.string().url(),
    STRIPE_SECRET_KEY: z.string().startsWith("sk_"),
    STRIPE_WEBHOOK_SECRET: z.string().startsWith("whsec_"),
    OPENAI_API_KEY: z.string().startsWith("sk-"),
    RESEND_API_KEY: z.string().startsWith("re_"),
    // ... 20 more lines of the same patterns
  },
});

I was writing the same schemas across 8 projects. When Stripe changed their key format, I had to update all of them.

And when a new teammate joined? They'd clone the repo, run npm run dev, see a wall of validation errors, and spend 30 minutes figuring out what goes where.

So I Built nevr-env

nevr-env is an environment lifecycle framework. Not just validation — the entire lifecycle from setup to production monitoring.

Here's what the same code looks like:

import { createEnv } from "nevr-env";
import { postgres } from "nevr-env/plugins/postgres";
import { stripe } from "nevr-env/plugins/stripe";
import { openai } from "nevr-env/plugins/openai";
import { z } from "zod";

export const env = createEnv({
  server: {
    NODE_ENV: z.enum(["development", "production", "test"]),
    API_SECRET: z.string().min(10),
  },
  plugins: [
    postgres(),
    stripe(),
    openai(),
  ],
});

3 plugins replace 15+ lines of manual schemas. Each plugin knows the correct format, provides proper validation, and even includes auto-discovery — if you have a Postgres container running on Docker, the plugin detects it.

The Three Features That Changed Everything

1. Interactive Fix Wizard

When a new developer runs your app with missing variables:

$ npx nevr-env fix

Instead of a wall of errors, they get an interactive wizard:

? DATABASE_URL is missing
  This is: PostgreSQL connection URL
  Format: postgresql://user:pass@host:port/db
  > Paste your value: █

Onboarding time went from "ask someone on Slack" to "run one command."

2. Encrypted Vault

This is the feature I'm most proud of.

# Generate a key (once per team)
npx nevr-env vault keygen

# Encrypt your .env into a vault file
npx nevr-env vault push
# Creates .nevr-env.vault (safe to commit to git!)

# New teammate clones repo and pulls
npx nevr-env vault pull
# Decrypts vault → creates .env

The vault file uses AES-256-GCM encryption with PBKDF2 600K iteration key derivation. It's safe to commit to git. The encryption key never touches your repo.

No more Slack DMs. No more "hey can you send me the .env?" No more paid secret management SaaS for small teams.

3. Secret Scanning

$ npx nevr-env scan

  Found 2 secrets in codebase:

  CRITICAL  src/config.ts:14  AWS Access Key (AKIA...)
  HIGH      lib/api.ts:8      Stripe Secret Key (sk_live_...)

This runs in CI and catches secrets before they hit your git history. Built-in, no extra tools needed.

13 Plugins and Counting

Every plugin encapsulates the knowledge of how a service works:

Category	Plugins
Database	`postgres()`, `redis()`, `supabase()`
Auth	`clerk()`, `auth0()`, `better-auth()`, `nextauth()`
Payment	`stripe()`
AI	`openai()`
Email	`resend()`
Cloud	`aws()`
Presets	`vercel()`, `railway()`, `netlify()`

And you can create your own:

import { createPlugin } from "nevr-env";
import { z } from "zod";

export const myService = createPlugin({
  name: "my-service",
  schema: {
    MY_API_KEY: z.string().min(1),
    MY_API_URL: z.string().url(),
  },
});

The Full CLI

nevr-env ships with 12 CLI commands:

Command	What it does
`init`	Set up nevr-env in your project
`check`	Validate all env vars (CI-friendly)
`fix`	Interactive wizard for missing vars
`generate`	Auto-generate `.env.example` from schema
`types`	Generate `env.d.ts` type definitions
`scan`	Find leaked secrets in code
`diff`	Compare schemas between versions
`rotate`	Track secret rotation status
`ci`	Generate CI config (GitHub Actions, Vercel, Railway)
`dev`	Validate + run your dev server
`watch`	Live-reload validation on .env changes
`vault`	Encrypted secret management (keygen/push/pull/status)

Try It

pnpm add nevr-env zod
npx nevr-env init

The init wizard detects your framework, finds running services, and generates a complete configuration.

GitHub: github.com/nevr-ts/nevr-env
npm: npmjs.com/package/nevr-env
Docs: [https://nevr-ts.github.io/nevr-env/)

If you've ever lost production time to a missing env var, I'd love to hear your story. And if nevr-env saves you from that — a star on GitHub would mean the world.

Built by Yalelet Dessalegn as part of the nevr-ts ecosystem.