展示HN:Unwind – 我为AI代理在树莓派上构建了一个安全代理
我在过去的18个月里一直在尝试各种AI工具,有时每天花费几个小时,最近发布了三个开源包,这些包位于AI代理与它们调用的工具之间。
我有一个来自夏季项目的Raspberry Pi 5,它成为了我第一个OpenClaw的安装。一旦它运行起来,我就开始思考一个问题:在你不看着代理的时候,谁来监视代理?
UNWIND的想法来源于苹果的Time Machine。如果出现问题,你应该能够看到发生了什么,并将其回滚。CRAFT,一个防篡改的审计链,源于我之前几个月在进行的一个独立的加密项目。将这两者结合起来,形成一个确定性的执行管道,是我想要构建的设计。
UNWIND作为一个MCP标准输入输出代理工作。它包装任何MCP服务器,拦截每一个工具调用,而代理对此毫不知情。如果你正在使用Claude Desktop、Cursor、Windsurf或VS Code Copilot与MCP服务器,这就是主要的集成路径,也是目前最可靠的方式。OpenClaw的支持存在,但适配器问题尚未解决,因此今天使用MCP标准输入输出路径是最佳选择。
Claude Code负责规划。Pi上的Codex是构建者。我选择Codex是因为OpenAI允许专业用户通过OAuth登录OpenClaw,而无需API费用。我给Codex提供了一个soul.md(OpenClaw代理使用的指令文件),定义了它作为安全分析师的角色:优先考虑证据,标记未知,绝不假设,并为每一个发现生成结构化的评估,说明发生了什么,为什么重要……在这种框架下,它在Claude Code生成的每个计划中始终能找到5到6个真实的结构性问题。
UNWIND是一个确定性的安全代理,位于代理与每个工具调用之间。每个调用都会运行15个检查。执行路径中没有大型语言模型,只有规则和模式匹配。每个操作都记录在一个防篡改的哈希链中。文件更改会快照以便回滚。
现在有三个包,全部在PyPI上:
*craft-auth*:防篡改命令认证。零依赖,纯Python标准库,1,605行。10秒内试用:`pip install craft-auth && craft-auth demo`。输出不言自明。
*ghostmode*:MCP服务器的干运行代理。查看你的代理在不执行任何操作的情况下会做什么。写入被拦截,读取直接通过,什么都不改变。`pip install ghostmode && ghostmode -- npx @modelcontextprotocol/server-filesystem ~/Documents`(需要Node.js用于上游MCP服务器,Ghost Mode本身是纯Python)。
*unwind-mcp*:完整的执行引擎。`pip install unwind-mcp && unwind serve -- npx @modelcontextprotocol/server-filesystem ~/Documents`,然后将Claude Desktop或Cursor指向它。每个工具调用在终端中显示允许/阻止的决策。通过`unwind dashboard`在localhost:9001查看仪表板(首先启动侧车,使用`unwind sidecar serve`)。
安装后,Codex立即被自己的仪表板标记为“污染”。在设置过程中,它一直在获取网页,然后试图执行一个命令。它帮助构建的安全堆栈在其第一次实际操作中捕捉到了这一点。
还有一些粗糙的地方。
需要Python 3.10及以上版本。Mac自带3.9.6,导入会崩溃。Homebrew的Python 3.11及以上版本运行良好。Windows尚未测试。原则上是纯Python和跨平台的,但没有人验证过。
污染系统工作正常,但对于无人值守的使用来说过于激进。正常的代理工作流会立即触发污染,这会阻止执行,直到人类批准。当你坐在那里时,这没问题。但当代理独自运行时,它实际上是被冻结的。“外部内容可能携带提示注入”和“代理的正常工作涉及外部内容”之间的紧张关系是一个我尚未干净解决的真正设计问题。
欢迎首批真实的人类测试者。
UNWIND和Ghost Mode是AGPL-3.0许可证。craft-auth是独立的,没有AGPL依赖,可以单独授权。
github.com/unwind-mcp
查看原文
I've been experimenting with AI tools, sometimes hours a day for the last 18 months, and recently shipped three open source packages that sit between AI agents and the tools they call.<p>I had a Raspberry Pi 5 from a summer project that became my first OpenClaw install. Once it was running I turned to the problem, what watches the agent while you're not watching?<p>The idea for UNWIND came from Apple's Time Machine. If something goes wrong, you should be able to see what happened and roll it back. CRAFT, the tamper-evident audit chain, came from a separate cryptographic project I'd been working on for months before. Combining the two with a deterministic enforcement pipeline was the design I wanted to build.<p>UNWIND works as an MCP stdio proxy. It wraps any MCP server, intercepts every tool call on the way through, and the agent never knows it's there. If you're using Claude Desktop, Cursor, Windsurf, or VS Code Copilot with MCP servers, that's the primary integration path and the one that works most reliably right now. OpenClaw support exists but has unresolved adapter issues, so the MCP stdio path is the one to use today.<p>Claude Codehandled planning. Codex on the Pi was the builder. I chose Codex because OpenAI lets Pro users OAuth into OpenClaw with no API costs. I gave Codex a soul.md (the instruction file OpenClaw agents use) that defined its role as a security analyst: evidence first, flag unknowns, never assume, and for every finding produce a structured assessment of what happened, why it matters...With that framing it consistently found 5 or 6 real structural issues in every plan Claude Code produced.<p>UNWIND is a deterministic security proxy that sits between the agent and every tool call. 15 checks run on every call. No LLM in the enforcement path, just rules and pattern matching. Every action logged in a tamper-evident hash chain. File changes snapshotted for rollback.<p>Three packages, all on PyPI right now:<p>*craft-auth* : Tamper-evident command authentication. Zero dependencies, pure Python stdlib, 1,605 lines. Try it in 10 seconds: `pip install craft-auth && craft-auth demo`. The output speaks for itself.<p>*ghostmode* : Dry-run proxy for MCP servers. See what your agent would do without letting it do anything. Writes intercepted, reads pass through, nothing changes. `pip install ghostmode && ghostmode -- npx @modelcontextprotocol/server-filesystem ~/Documents` (needs Node.js for the upstream MCP server, Ghost Mode itself is pure Python).<p>*unwind-mcp* : The full enforcement engine. `pip install unwind-mcp && unwind serve -- npx @modelcontextprotocol/server-filesystem ~/Documents` then point Claude Desktop or Cursor at it. Every tool call shows ALLOW/BLOCK decisions in the terminal. Dashboard at localhost:9001 with `unwind dashboard` (start the sidecar first with `unwind sidecar serve`).<p>after install,Codex was immediately flagged TAINTED by its own dashboard. It had been fetching web pages during setup, then tried to execute a command. The security stack it helped build caught it on its first live action.<p>Rough edges.<p>Requires Python 3.10+. Mac ships with 3.9.6 and the import will crash. Homebrew Python 3.11+ works fine. Windows is untested. Pure Python and cross-platform in principle but nobody has verified it.<p>The taint system works correctly but is too aggressive for unattended use. Normal agent workflow, triggers taint immediately, which blocks execution until a human approves. When you're sitting there, this is fine. When the agent is running on its own, it's effectively frozen. The tension between "external content could carry prompt injection" and "the agent's normal job involves external content" is a genuine design problem I haven't solved cleanly.<p>First real human testers welcome.<p>UNWIND and Ghost Mode are AGPL-3.0. craft-auth is standalone with zero AGPL dependencies and can be licensed separately.<p>github.com/unwind-mcp