avakill

AvaKill is an open-source safety “firewall” for AI agents: it intercepts tool calls, evaluates them against a YAML policy (deny-by-default, rule-based checks including shell/path/content scanning, rate limits, and approval gates), and blocks/kills dangerous operations before execution. It provides multiple enforcement paths: native agent hooks, an MCP proxy/wrapper, and OS-level sandboxing, with an optional daemon for shared evaluation and audit logging.

Evaluated Apr 04, 2026 (0d ago)
Homepage ↗ Repo ↗ Security ai-safety agent-tooling policy-engine yml-policies mcp sandboxing security python
⚙ Agent Friendliness
73
/ 100
Can an agent use this?
🔒 Security
50
/ 100
Is it safe for agents?
⚡ Reliability
39
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
45
Documentation
80
Error Messages
0
Auth Simplicity
95
Rate Limits
85

🔒 Security

TLS Enforcement
20
Auth Strength
50
Scope Granularity
55
Dep. Hygiene
55
Secret Handling
70

Strengths (from provided docs/manifest): deterministic, deny-by-default rule evaluation; multiple independent enforcement paths (hooks + MCP proxy + OS sandbox) to reduce single-point failure; content scanning for secrets/PII/prompt injection; policy signing/verification and keygen commands are mentioned. Uncertainties: TLS/auth details for any daemon/remote communication are not provided; dependency hygiene and vulnerability status are not verifiable from the provided content; secret handling behavior (e.g., logging redaction) is not explicitly described in the README excerpt.

⚡ Reliability

Uptime/SLA
0
Version Stability
60
Breaking Changes
40
Error Recovery
55
AF Security Reliability

Best When

You need local, deterministic, policy-based guardrails around agent tool use across multiple agent runtimes (hooks/MCP/OS sandbox) with an auditable trail and configurable deny-by-default rules.

Avoid When

You cannot practically integrate/enable one of the enforcement paths (hooks/MCP wrapping/OS sandbox) or you require a hosted, managed service with centralized policy distribution and guaranteed uptime/SLA.

Use Cases

  • Blocking destructive shell commands and other high-risk tool actions from agent tool calls
  • Preventing unsafe file writes/edits to sensitive system directories
  • Detecting and blocking potential secret/PII/prompt-injection content in tool arguments/responses
  • Enforcing policy-driven approvals (human-in-the-loop) for specific operations like file writes
  • Rate limiting specific tools (e.g., web search) to reduce abuse and runaway agent behavior
  • Hardening and auditing agent tool activity across multiple agent frameworks (Python SDK and framework wrappers)

Not For

  • As a substitute for robust application security controls (authz, least privilege, backups)
  • Guaranteeing perfect safety against all novel or application-specific attack vectors
  • Managing sensitive compliance obligations if policy signing/verification and audit retention requirements are not operationally enforced

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
Yes
Webhooks
No

Authentication

Methods: CLI usage (local) Python SDK Guard / protect decorator Framework wrappers (GuardedOpenAIClient, GuardedAnthropicClient, LangChain callback handler)
OAuth: No Scopes: No

The README describes local enforcement and policy evaluation. It also mentions policy signing/verification (Ed25519/HMAC-SHA256) and a keygen command, but no service-style auth scheme (API keys/OAuth scopes) for remote access is described in the provided content.

Pricing

Free tier: No
Requires CC: No

No pricing/hosted tiers are described; appears to be open-source distributed via pip/PyPI under AGPL.

Agent Metadata

Pagination
none
Idempotent
False
Retry Guidance
Not documented

Known Gotchas

  • Tool name normalization may need correct mapping per agent; policy uses canonical tool names but different agents may emit different tool identifiers without proper hook/MCP wrapping.
  • Shell/file/path safety checks depend on correct argument structures and available metadata; ambiguous tool arguments could lead to false positives/denies.
  • Approval workflows require human interaction; unattended runs may stall if policies use require_approval.
  • If OS sandboxing/hardening profiles are misconfigured or not supported on a platform, the corresponding enforcement path may be unavailable.

Alternatives

Other guardrail frameworks and policy engines (e.g., general-purpose guardrails for LLM tool use) Cloud/WAF-style security controls (not specific to agent tool calls) Sandboxing/containerization and egress-control (OS/container first, policy second) MCP tool filtering at the application layer (custom MCP server logic)

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for avakill.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-04-04.

8642
Packages Evaluated
17761
Need Evaluation
586
Need Re-evaluation
Community Powered