AGENT FIREWALL

Treat every input your AI agent touches as hostile.

Prompt injection is OWASP LLM01 — and Google measured a +32% surge in injection payloads hidden in web content over three months of 2026. Agent Firewall is the deterministic gate an agent calls on everything it ingests or emits: injection scanning, URL/IP vetting, pwned-password checks, and secret/PII redaction. No LLM.

FreeDeterministic — no LLMHIBP · RDAP · Tor · Team CymruHTTP + MCP

Try the injection scanner

verdict appears here…

The tools

Endpoint	What it does
`/api/scan-content`	Detect prompt injection / jailbreak / obfuscation (zero-width, bidi, hidden HTML) → allow/review/block
`/api/scan-secrets`	Detect leaked API keys, tokens, private keys + PII → findings + redacted copy
`/api/check-url`	URL/domain safety: punycode, shorteners, suspicious TLDs, brand lookalikes, domain age, redirects
`/api/check-ip`	IP reputation: Tor exit, ASN/org, reverse DNS, datacenter, blocklist
`/api/check-password`	Is a password breached? HIBP k-anonymity (plaintext never leaves the server)

Use it from an agent (MCP)

{ "mcpServers": { "agent-firewall": { "command": "npx", "args": ["-y", "agent-firewall-mcp"] } } }

Why it exists

OWASP's guidance on LLM01 is explicit: no single technique fully stops injection, so the right architecture is defense-in-depth — independent layers that each raise the attacker's cost. Detectors like Azure Prompt Shield are platform-locked and enterprise. This is the free, standalone, in-loop layer — same input, same output, all public data.