---
title: "Agent Shell for AI Agents | agentsh"
description: "agentsh is an agent shell for AI agents: execution-layer security that intercepts file, network, and process activity at runtime with deterministic policy and audit logs."
doc_version: "1.0"
last_updated: "2026-05-19"
canonical: "https://www.agentsh.org/agent-shell/"
---

# Agent Shell for AI Agents

agentsh, pronounced **agent shell**, is an execution-layer security gateway for AI agents. It wraps an agent process, intercepts file, network, and process activity at runtime, and enforces deterministic policy before the operation can complete.

## What an agent shell does

An agent shell gives AI agents the operating-system boundary that ordinary prompts cannot provide. Instead of asking the model to behave, agentsh evaluates the actual syscall-level work the agent and its subprocesses attempt.

- **Intercepts real activity.** File reads, writes, process launches, network egress, signals, and tool-driven subprocesses are observed as runtime events.
- **Enforces policy.** Rules decide whether an operation is allowed, denied, sent for approval, or steered to a safer destination.
- **Leaves evidence.** Each decision is written to audit logs and session reports.

## Why not just prompt guardrails?

Prompt guardrails depend on the model following instructions. An agent shell operates below the model, below tool descriptions, and below MCP prompts. It governs the process tree that actually touches files, networks, package managers, and shells.

Prompt-only controls can be bypassed by prompt injection, can miss behavior hidden inside subprocesses, and usually do not produce deterministic proof that an operation was blocked. Agent shell controls apply to real file, network, and command operations, follow the agent into subprocesses, and create auditable policy decisions.

## Agent shell, agentshell, and agent-shell

People search for this category as **agent shell**, **agentshell**, and **agent-shell**. The product name is **agentsh**: a short Unix-style name for an agent shell that protects AI agents at execution time.

## Where agentsh fits

Use agentsh when an AI coding agent, MCP server, sandbox, CI worker, or hosted development environment can run commands or reach sensitive data. Start with observe mode, generate a policy from a known-good workflow, then enforce the policy in production.

Related pages:

- [Execution-layer security](https://www.agentsh.org/execution-layer-security/)
- [Setup guide](https://www.agentsh.org/docs/setup/)
- [Policy reference](https://www.agentsh.org/docs/policy-reference/)
- [Examples](https://www.agentsh.org/examples/)
- [Mitigations](https://www.agentsh.org/mitigations/)

## Start with the agent shell

```bash
curl -fsSL https://www.agentsh.org/install.sh | sh
agentsh wrap --pack code-edit -- claude code "fix the failing test"
```

For the deeper model, read [What Is Execution-Layer Security?](https://www.agentsh.org/execution-layer-security/), then follow the [setup guide](https://www.agentsh.org/docs/setup/).