Linux-first · Open-source security layer

Your AI can act. You decide how far.

MonkeyShield sits between an AI agent and your operating system, controlling what it can read, write, execute and access.

Deny by default Human approval Full audit trail
LIVE POLICY TRACE ACTIVE
AI AGENT local-agent-01 Qwen / Llama / custom
MONKEYSHIELD CORE Policy engine context · identity · intent · risk
ALLOWED file.read /workspace/docs/*
BLOCKED shell.execute sudo rm -rf /
01 / PROBLEM

AI agents are gaining tools faster than they are gaining boundaries.

The model is not the only attack surface. Every permission behind it multiplies the damage a bad instruction can cause.

01

Overprivileged agents

One process often receives broad access to files, shell commands, APIs and secrets just to complete a narrow task.

EXCESSIVE PERMISSIONS
02

Prompt injection becomes action

A malicious document or webpage can influence the agent. Without enforcement, text can become a system-level operation.

UNTRUSTED INPUT
03

Invisible decisions

When actions are scattered across tools and logs, it becomes difficult to answer who requested what, why and with which result.

LOW OBSERVABILITY
02 / CAPABILITIES

A security boundary designed around agent actions.

01

Deny by default

Nothing passes unless an explicit policy allows it.

02

Human approval

Risky operations pause before execution and ask the operator.

03

Tamper-evident audit

Every request, decision and policy version leaves a trace.

04

Fine-grained scope

Control paths, commands, hosts, methods, identities and runtime context.

monkeyshield://policy-engine
POLICY DECISION Default action: DENY
request: file.write
resource: /etc/ssh/sshd_config
identity: local-agent-01
matched_rule: none
result: BLOCKED
APPROVAL REQUIRED Operator confirmation requested
request: shell.execute
command: apt install tcpdump
risk_score: 72 / 100
mode: HUMAN_APPROVAL
timeout: 120s
AUDIT EVENT Action chained into signed log
event_id: ms_01JZP8V7
policy_hash: 6c0d…a918
previous_hash: 3ee4…0b11
integrity: VERIFIED
SCOPED ALLOW Least privilege in action
allow: file.read
paths:
  - /workspace/src/**
except:
  - **/.env
  - **/secrets/**
result: ALLOWED
03 / ARCHITECTURE

The agent never touches the system directly.

Each tool request is intercepted, enriched with context, evaluated against policy and only then executed—or stopped.

Click a technical term to see a plain-language explanation.

SOURCE
AI
· ·
tool request
ENFORCEMENT
MS
MonkeyShieldidentity · policy · approval · audit
controlled action
TARGET
read · write · delete
execute · process · privilege
host · method · destination
01 Detect 02 Evaluate 03 Approve 04 Enforce 05 Record
04 / POLICY AS CODE

Readable rules. Predictable behavior.

Security policies should be reviewable, versioned and easy to explain—not buried in opaque model behavior.

Path and command patterns Per-agent identities and roles Explicit approval thresholds Versioned, auditable decisions
policy.yaml
version: "1"
default: deny

identities:
  local-agent-01:
    allow:
      - action: file.read
        paths:
          - "/workspace/**"
        except:
          - "**/.env"
          - "**/secrets/**"

      - action: shell.execute
        commands:
          - "git status"
          - "pytest *"
        approval_required: true
SECURITY SPECTRUM

Built where Red, Blue and Green become Purple.

Attack thinking finds the paths. Defensive engineering closes them. Safe operations keep the system useful. MonkeyShield combines all three.

RED
BLUE
GREEN
PURPLE MONKEYSHIELD
05 / ROADMAP

Start narrow. Build the boundary correctly.

NOW · MVP

Linux enforcement core

  • file.read / file.write
  • shell.execute
  • deny-by-default YAML policies
  • local audit trail
NEXT

Human approval & network

  • interactive approval broker
  • network.request controls
  • risk-based policy decisions
  • signed policy versions
LATER

Agent security platform

  • Windows support
  • RAG content quarantine
  • memory and secret protection
  • central observability
OPEN SOURCE · IN DEVELOPMENT

Give AI tools. Keep control.

MonkeyShield is being built in public by MonkeyPivot as the first project in the MonkeyAI Security Tools ecosystem.

Repository link will appear here after the first public release.