{"id":"log-bell-avakill","name":"avakill","homepage":"https://avakill.vercel.app","repo_url":"https://github.com/log-bell/avakill","category":"security","subcategories":[],"tags":["ai-safety","agent-tooling","policy-engine","yml-policies","mcp","sandboxing","security","python"],"what_it_does":"AvaKill is an open-source safety “firewall” for AI agents: it intercepts tool calls, evaluates them against a YAML policy (deny-by-default, rule-based checks including shell/path/content scanning, rate limits, and approval gates), and blocks/kills dangerous operations before execution. It provides multiple enforcement paths: native agent hooks, an MCP proxy/wrapper, and OS-level sandboxing, with an optional daemon for shared evaluation and audit logging.","use_cases":["Blocking destructive shell commands and other high-risk tool actions from agent tool calls","Preventing unsafe file writes/edits to sensitive system directories","Detecting and blocking potential secret/PII/prompt-injection content in tool arguments/responses","Enforcing policy-driven approvals (human-in-the-loop) for specific operations like file writes","Rate limiting specific tools (e.g., web search) to reduce abuse and runaway agent behavior","Hardening and auditing agent tool activity across multiple agent frameworks (Python SDK and framework wrappers)"],"not_for":["As a substitute for robust application security controls (authz, least privilege, backups)","Guaranteeing perfect safety against all novel or application-specific attack vectors","Managing sensitive compliance obligations if policy signing/verification and audit retention requirements are not operationally enforced"],"best_when":"You need local, deterministic, policy-based guardrails around agent tool use across multiple agent runtimes (hooks/MCP/OS sandbox) with an auditable trail and configurable deny-by-default rules.","avoid_when":"You cannot practically integrate/enable one of the enforcement paths (hooks/MCP wrapping/OS sandbox) or you require a hosted, managed service with centralized policy distribution and guaranteed uptime/SLA.","alternatives":["Other guardrail frameworks and policy engines (e.g., general-purpose guardrails for LLM tool use)","Cloud/WAF-style security controls (not specific to agent tool calls)","Sandboxing/containerization and egress-control (OS/container first, policy second)","MCP tool filtering at the application layer (custom MCP server logic)"],"af_score":73.2,"security_score":49.8,"reliability_score":38.8,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-04-04T19:32:42.222691+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":true,"sdk_languages":["Python"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["CLI usage (local)","Python SDK Guard / protect decorator","Framework wrappers (GuardedOpenAIClient, GuardedAnthropicClient, LangChain callback handler)"],"oauth":false,"scopes":false,"notes":"The README describes local enforcement and policy evaluation. It also mentions policy signing/verification (Ed25519/HMAC-SHA256) and a keygen command, but no service-style auth scheme (API keys/OAuth scopes) for remote access is described in the provided content."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing/hosted tiers are described; appears to be open-source distributed via pip/PyPI under AGPL."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":["SOC 2 (reported)","NIST AI RMF (reported)","EU AI Act (reported)","ISO 42001 (reported)"],"min_contract":null},"agent_readiness":{"af_score":73.2,"security_score":49.8,"reliability_score":38.8,"mcp_server_quality":45.0,"documentation_accuracy":80.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":95.0,"rate_limit_clarity":85.0,"tls_enforcement":20.0,"auth_strength":50.0,"scope_granularity":55.0,"dependency_hygiene":55.0,"secret_handling":70.0,"security_notes":"Strengths (from provided docs/manifest): deterministic, deny-by-default rule evaluation; multiple independent enforcement paths (hooks + MCP proxy + OS sandbox) to reduce single-point failure; content scanning for secrets/PII/prompt injection; policy signing/verification and keygen commands are mentioned. Uncertainties: TLS/auth details for any daemon/remote communication are not provided; dependency hygiene and vulnerability status are not verifiable from the provided content; secret handling behavior (e.g., logging redaction) is not explicitly described in the README excerpt.","uptime_documented":0.0,"version_stability":60.0,"breaking_changes_history":40.0,"error_recovery":55.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Tool name normalization may need correct mapping per agent; policy uses canonical tool names but different agents may emit different tool identifiers without proper hook/MCP wrapping.","Shell/file/path safety checks depend on correct argument structures and available metadata; ambiguous tool arguments could lead to false positives/denies.","Approval workflows require human interaction; unattended runs may stall if policies use require_approval.","If OS sandboxing/hardening profiles are misconfigured or not supported on a platform, the corresponding enforcement path may be unavailable."]}}