Prismor intercepts every AI agent tool call before execution, enforces policy in real time, and writes a tamper-evident audit trail.
Open Source Repo: https://github.com/PrismorSec/prismor
Prismor intercepts every AI agent tool call before execution, enforces policy in real time, and writes a tamper-evident audit trail.
Open Source Repo: https://github.com/PrismorSec/prismor
Every cloud engineer knows IAM. Not because it's fun, but because you learned the hard way what happens without it. Someone gets a key. Blast radius is bad. You add policies, audit logs, least-privilege rules, and a lot of regret.
We're at that same moment with AI agents. Except most teams haven't had the incident yet.
When an agent runs in production with access to tools — your file system, your APIs, your databases — what stops it from doing something it shouldn't? Usually the answer is: nothing. There's no interception layer. No per-user policy. No audit log that security can read. Just vibes and hope.
immunity-agent intercepts every AI agent action before it reaches your OS, blocking prompt injection, malicious packages, and secret exfiltration across 55+ coding tools.
Repo: https://github.com/PrismorSec/immunity-agent
AI agents need secrets to work: API keys, credentials, env vars. But once those enter model context, you lose control of where they go. Agents also install packages, run shell commands, and browse the web autonomously. Any of those steps can be hijacked.
The practice of keeping sensitive keys in a .env file is a fundamental rule of modern development. It is the first line of defense that every developer learns. However, the rise of AI coding agents has introduced a subtle complication: keys are shared in agent chats and the agent might still end up creating a permanent record of those secrets elsewhere.
Even when a developer is careful to use a .env file, the moment a key is mentioned in a chat or read by the agent to debug a connection, it is recorded. We found thousands of lines of session data tucked away in hidden folders. Within these logs, API keys and access tokens were sitting in plain text, completely unencrypted and accessible to anyone who knows where to look.
immunity-agent is the open-source guard that watches the three places an agent can hurt us: what it does, what it installs, and what it leaves behind. It integrates with more than 55 AI coding tools. Before any command reaches a machine
When a layer is watching every action, secret, package, and fix in real time, we no longer have to stand over an agent's shoulder. We can let it move at full speed while something underneath continuously verifies its work.
Four components share the work: Warden is the rule-keeper. It evaluates every action through deterministic policies backed by AI analysis. Dangerous behavior like destructive commands, reverse shells, or security bypasses can be blocked before execution.
Cloak protects secrets. If an agent tries to expose an API key or password, Cloak catches it before it reaches logs, prompts, or outbound requests.
IAM gives agents only the permissions they need. A research agent can research. A deployment agent can deploy
name: claude-session-load description: > Load a specific Claude Code session into the current conversation by session id, given as a rough/possibly-mistyped uuid (e.g. "01935a40-5a79-4142-966a-47a1da99c3bb"). Reads the matching .jsonl under ~/.claude/projects/**/ (and Claude desktop's local-agent-mode-sessions), produces a concise summary of what was asked, done, and changed, and keeps the raw file path on hand to look up exact detail later in the conversation. Use when the user invokes /claude-session-load , says "load claude session ", "what happened in claude session ", "summarize this claude session", or pastes a Claude session id and asks what it contains.
name: codex-session-load description: > Load a specific Codex CLI session into the current conversation by session id, given as a rough/possibly-mistyped uuid (e.g. "019edfd4-fbf0-7100-a982-2ab5bdf125fb"). Reads the matching rollout-*.jsonl under ~/.codex/sessions (and ~/.codex/archived_sessions), produces a concise summary of what was asked, done, and changed, and keeps the raw file path on hand to look up exact detail later in the conversation. Use when the user invokes /codex-session-load , says "load codex session ", "what happened in codex session ", "summarize this codex session", or pastes a Codex session id and asks what it contains.
To trust an agent moving at this speed, we can’t be the ones checking its work. By the time we’ve read one command, it has already run three more. So the checking has to happen on its own, in the moment, on every single action. Security already has a name for that idea, which is zero trust. We stop assuming something is safe because of who is asking, and we judge each action on its own merits, every time.
It turns out our own bodies already run this exact playbook. The immune system never asks a threat for its credentials or waves it through on reputation. It watches what is happening in front of it, and it shuts the harmful thing down before it can spread. That is the layer we set out to build for AI agents, which is why we named it immunity. Like its namesake, it watches the three places an agent can hurt us: what it does, what it installs, and what it leaves broken behind.
immunity-agent is the open-source guard that does the watching, and it slots into m
Coding agents interrupt you constantly. Allow this command? Edit this file? Run this script? Those prompts exist for good reason, but they also make autonomous workflows basically impossible. A multi-hour refactor, a CI pipeline, an overnight agent run: you can't approve every step. So developers turn the prompts off.
That's a reasonable call. But it removes the only checkpoint between your agent and your filesystem, credentials, and network. Immunity Agent puts that checkpoint back, at the agent layer, without getting in your way.
| Agent | Flag / Setting | Description |
|---|