I built a Safety Kernel for Crews - blocks dangerous file ops automatically

Showcase
1

Hey CrewAI community! :waving_hand:

I’ve been working on kernel-level safety for AI agents and wanted to share a demo specifically for CrewAI.

The Problem: Agents can hallucinate dangerous operations like rm -rf or DROP TABLE. Prompt engineering alone can’t reliably prevent this.

The Solution: Agent OS intercepts these at the kernel level - before they execute.

Demo

I just submitted a PR to crewAI-examples: feat: Add Agent OS safety governance example by imran-siddique · Pull Request #300 · crewAIInc/crewAI-examples · GitHub

Run it yourself:

git clone https://github.com/imran-siddique/agent-os
cd agent-os/examples/crewai-safe-mode
python crewai_safe_mode.py

What it does:

  • :white_check_mark: Wraps your CrewAI agents in a safety kernel
  • :white_check_mark: Blocks operations like rm -rf, sudo, chmod 777
  • :white_check_mark: Maintains full audit log of all agent actions
  • :white_check_mark: Zero code changes to your existing crews

Screenshot

Image: Agent OS Demo →
agent-os/examples/crewai-safe-mode/demo.svg at master · imran-siddique/agent-os

Would love feedback on:

  1. What other operations should we block by default?
  2. Would this be useful as a native CrewAI integration?

Happy to contribute upstream if there’s interest! :shield:

2

Really interesting approach. Intercepting dangerous operations at the kernel level makes a lot of sense, especially as agents start executing real system commands.

One thing I’ve been thinking about in a similar space is what happens after the execution layer — how we verify what the agent actually did.

Blocking rm -rf or DROP TABLE is important, but in more complex multi-agent systems we also start needing something like verifiable execution logs: a structured record of the agent’s decisions and actions that can be audited later.

We’ve been experimenting with this idea as part of an execution-integrity layer for agents, where actions are recorded and verifiable rather than just logged.

Curious if you’ve thought about that side of the problem — not just preventing dangerous actions, but also making agent behavior provable afterwards.I’ve been exploring something related here: