.env는 안전하지만 –/.claude는 안전하지 않습니다.

Security for AI coding agents. A signed threat feed, agent-native security skills, and a local runtime monitor - in one package. AI coding agents execute shell commands, read and write files, access credentials, and call external APIs. They do this autonomously, often across many steps, with limited checkpoints. This creates risks that traditional security tooling isn't designed for: - Prompt injection - malicious content in a file, issue, or web page can redirect the agent mid-task - Unintended destructive actions - an agent misinterprets an instruction and runs something irreversible - Secret exfiltration - an agent reads .env or credential files as part of a debugging task and sends the content outbound - Privilege escalation - an agent modifies sudoers, CI pipelines, or file permissions to resolve a permission error - Dependency manipulation - an agent installs or rewrites a package at the direction of injected input Standard OS-level and endpoint security tools monitor the kernel and filesystem. By the time they see an action, the agent has already decided to take it. The gap is at the agent layer, not the OS layer. Prismor works at two layers: what the agent knows (skills loaded at session start) and what the agent does (runtime hook on every tool call). flowchart TD IDE["Your IDE / Agent\n(Claude Code · Cursor · Windsurf · OpenClaw)"] IDE -->|"hooks (PreToolUse / PostToolUse)"| Warden subgraph Warden["Prismor Warden"] Policy["Policy Engine\n(YAML rules)"] Session["Session Store\n(SQLite / JSONL)"] Feed["Threat Feed\n(Ed25519 signed)"] Policy --> Session end Warden --> Allow["ALLOW action\n+ log finding"] Warden --> Block["BLOCK action\n+ log finding"] Kernel-level and endpoint security tools intercept syscalls and monitor process activity at the OS layer. For traditional malware, this is the right place to look. For AI agents, that layer is downstream of where the decision happens. By the time an OS-level tool sees a destructive command, the agent has already constructed and dispatched it. The tool has to race to kill the process before damage occurs - and it has no context about why the agent issued the command or what the user actually asked for. Warden hooks into the agent's tool-use pipeline before the action reaches the OS. The command is evaluated against your policy before it is executed. If the policy says block, the shell never sees it. A fixed list of bad strings has a short shelf life. Prismor's policy engine is YAML-driven and configurable per-project: - Every rule has an id , severity, category, event type, and pattern list - all editable - Your project's .prismor-warden/policy.yaml overrides defaults byid at runtime - Allowlists suppress false positives without disabling entire rule categories warden policy edit lets you toggle rules interactively without touching YAML rules: # Disable a default rule for this project - id: risky-write enabled: false # Add a project-specific rule - id: block-prod-db severity: CRITICAL category: db_access title: Block production database access event_types: [shell] fields: [command] patterns: ["psql.*prod", "mysql.*production"] action: block allowlists: - id: allow-test-env rule_ids: ["secret-access"] patterns: ["\\.env\\.test$"] reason: "Test env file has no real secrets" Commit the policy file to share rules across your team. CI picks it up automatically. Default detection rules: | Category | Severity | What It Does | |---|---|---| | Destructive commands | CRITICAL | Blocks rm -rf / , mkfs , dd to disk, shutdown , reboot | | Secret exfiltration | CRITICAL | Blocks cat .env | curl , piping secrets to external hosts | | DoS / resource exhaustion | CRITICAL | Blocks fork bombs, while-true loops, /dev/urandom abuse | | RCE / reverse shells | CRITICAL | Blocks bash -i /dev/tcp , crontab injection, ncat listeners | | Privilege escalation | CRITICAL | Blocks chmod +s , sudoers edits, useradd , setcap | | Prompt injection | HIGH | Detects "ignore instructions", "reveal system prompt" in agent I/O | | Remote execution | HIGH | Blocks curl | bash , wget | sh fetch-and-execute chains | | Sensitive file access | HIGH | Flags reads/writes to .env , .ssh/id_rsa , .aws/credentials | | Suspicious network | HIGH | Flags calls to webhook.site, ngrok, pastebin, Discord webhooks | | Database modification | HIGH | Flags DROP TABLE , DELETE FROM , TRUNCATE in shell commands | | Path traversal | HIGH | Flags ../../ traversal, reads of /etc/passwd , /proc/self/environ | | Risky file writes | MEDIUM | Flags writes to Dockerfile, CI workflows, package.json , go.mod | git clone https://github.com/PrismorSec/immunity-agent.git ~/.prismor bash ~/.prismor/scripts/init.sh . The setup wizard lets you: - Choose enforcement mode ( observe orenforce ) - Toggle detection rules on/off - each rule shows exactly what it catches - Select which agents to hook (Claude Code, Cursor, Windsurf, OpenClaw) - Review and confirm before installing After setup, restart your shell and the warden command