Story

I'm a plumber who taught himself to code. I run a plumbing company during the day and mess with my homelab at night. About a year ago I started running AI agents with full shell access and API keys to help manage my business. Scheduling, invoicing, monitoring my K3s cluster.

It worked great until I realized nothing was stopping those agents from sending my credentials anywhere. I had API keys for Slack, email, cloud services, all sitting in environment variables that any tool call could exfiltrate. Static scanners check code before you install it, but they can't catch a trusted tool that decides to phone home at runtime.

So I built Pipelock. Single Go binary, sits between your AI agent and the outside world.

What it does:

- Scans all outbound traffic for secrets (API keys, tokens, passwords) and blocks them before they leave

- Blocks network access to unauthorized destinations (SSRF protection)

- Wraps MCP servers as a stdio proxy, scanning responses for prompt injection

- Monitors your workspace files for unauthorized changes The hard part was making it fast enough that you don't notice it's there. Every HTTP request runs through regex matching and entropy analysis. I spent a lot of time getting the scanning pipeline under a few milliseconds of latency. The MCP proxy was trickier. Intercepting JSON-RPC stdio streams in real time without breaking the conversation flow when something gets flagged took some iteration.

I run it daily on my own setup. My AI assistant manages Slack messages, queries our job management API, checks email, and monitors my Kubernetes cluster. Pipelock sits in front of all of it. Last week it caught a skill that was embedding my Slack token in a debug log heading to an external endpoint. Never would have noticed without the DLP scanner.

Snyk recently found that 283 out of 3,984 published agent skills (about 7%) were leaking credentials. That's the problem space. Static scanning catches malware. Runtime scanning catches everything else.

Try it:

brew install luckyPipewrench/tap/pipelock pipelock generate config --preset balanced -o pipelock.yaml pipelock proxy start --config pipelock.yaml

Demo: https://asciinema.org/a/I1UzzECkeCBx6p42

Curious for feedback on the detection approach. Exfiltration patterns I'm missing, whether the MCP proxy is useful to people running coding agents, and what breaks if you try it.