{"id":"fawdyinc-shellguard","name":"shellguard","homepage":null,"repo_url":"https://github.com/fawdyinc/shellguard","category":"devtools","subcategories":[],"tags":["mcp","ssh","llm-agents","devops","remote-access","security","go"],"what_it_does":"ShellGuard is an MCP (Model Context Protocol) server that lets LLM agents connect to remote hosts over SSH and run a restricted, validated set of observation/diagnostic shell commands (optionally provisioning common diagnostic tools and downloading files via SFTP). It is designed to block destructive operations via syntax-level parsing and an allow/deny command model.","use_cases":["Letting an LLM perform safe remote diagnostics on staging/dev/prod servers over SSH","Inspecting logs and running read-only investigations without copy-pasting terminal output","Querying/searching files using provisioned tools (e.g., rg/jq/yq)","Downloading specific remote artifacts for analysis (SFTP with size limits)"],"not_for":["Executing arbitrary shell commands chosen freely by the LLM","Automating high-risk or destructive administrative operations","Unauthenticated use of SSH credentials","Production environments where any remote shell access is prohibited by policy"],"best_when":"You want an LLM to perform controlled, read-only style investigations on known hosts with strict command restrictions and clear observability into what is executed.","avoid_when":"You cannot guarantee that SSH credentials, host verification, and command allowlists are properly configured; or you require fully arbitrary command execution.","alternatives":["Use an SSH gateway plus a purpose-built read-only “diagnostics” agent/service","Use session recording/telemetry tools and analyze logs externally (no remote shell execution)","Adopt other MCP-to-SSH or “remote command” MCP servers with stronger policy enforcement (if available)"],"af_score":66.5,"security_score":62.0,"reliability_score":35.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:40:55.612237+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":true,"sdk_languages":["Go"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["SSH private key via identity_file","ssh-agent (SSH_AUTH_SOCK)","Default local SSH keys (~/.ssh/id_ed25519, id_ecdsa, id_rsa)"],"oauth":false,"scopes":false,"notes":"Authentication is SSH-key based. The server attempts methods in a defined priority order. There is no mention of OAuth or fine-grained scopes; authorization is effectively governed by the allowed command set plus the SSH account/keys used."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing details were provided in the supplied content; installation is via local binaries or Go tooling."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":66.5,"security_score":62.0,"reliability_score":35.0,"mcp_server_quality":85.0,"documentation_accuracy":80.0,"error_message_quality":null,"error_message_notes":"README describes restrictions and gives user-facing messages for common disallowed patterns (e.g., wget -r, tail -f, sed modes, variable expansion). Specific error codes/schema for MCP responses are not shown in the provided content.","auth_complexity":55.0,"rate_limit_clarity":5.0,"tls_enforcement":80.0,"auth_strength":70.0,"scope_granularity":35.0,"dependency_hygiene":50.0,"secret_handling":70.0,"security_notes":"Security posture is driven by SSH key authentication (no OAuth) and strong command restrictions: bash parsing into an AST, syntax rejection for tricks (semicolons/redirections/command substitution), default-deny allowlist/denylist validation, argument re-quoting, timeouts and output truncation, plus explicit blocking of destructive behaviors with suggested safer alternatives. Host key verification defaults to trust-on-first-use (accept-new) with options for strict/off. Rate limiting is not documented in the provided content. Dependency/CVE hygiene is not assessable from the supplied material.","uptime_documented":0.0,"version_stability":45.0,"breaking_changes_history":40.0,"error_recovery":55.0,"idempotency_support":"false","idempotency_notes":"No explicit idempotency guarantees are documented. Some operations (connect/disconnect, provisioning, downloading) may be safely repeatable depending on remote state, but this is not formally specified.","pagination_style":"none","retry_guidance_documented":true,"known_agent_gotchas":["Follow-mode commands like `tail -f` may hang; prefer bounded reads (e.g., `tail -n 100`).","Recursive downloads like `wget -r` are blocked; use allowed alternatives.","Stream editing via `sed` may be blocked or restricted to read-only; prefer grep/search for analysis.","Variable expansion behavior is restricted (e.g., `$HOME/file` does not expand).","Provisioning and download tools can be disabled via config/env; agent may need to handle missing tool availability."]}}