AI Agents Will Curl Your Localhost

Published 22 June 2026

AI models know that 169.254.169.254 returns cloud metadata. They know localhost:6443 is where Kubernetes lives. They know 10.0.0.0/8 is private network space. When you give them agent tasks involving network access, they will target these endpoints. Not maliciously. Just competently.

The model knows too much

Large language models are trained on infrastructure documentation, DevOps guides, and security research. They know the internal topology of cloud environments. They know the standard ports for every major service. They know the IP ranges reserved for private networks.

This knowledge is useful when a human is asking questions. It's dangerous when an autonomous agent is generating commands to execute.

What this looks like

# Agent doing "infrastructure recon" curl -s http://169.254.169.254/latest/meta-data/ ← leaks IAM credentials on AWS/GCP # Agent "checking services" curl -k https://localhost:6443/healthz ← Kubernetes API, cluster admin access # Agent "testing internal endpoints" curl http://10.0.0.1:8080/debug/vars ← exposes Go runtime internals # Agent "verifying connectivity" curl http://192.168.1.1/admin ← router admin panel

None of these are jailbreaks. The model isn't being tricked. It's generating the commands it was trained to know about for the task it was given. The problem is that "useful knowledge" and "dangerous target" overlap completely in infrastructure contexts.

The more autonomous, the more dangerous

If a human approves every command, the human is the gate. They see 169.254.169.254 and reject it. But the trend in AI coding tools is toward more autonomy — agents that run commands without human review. The more autonomous the agent, the more you need an automated gate.

The fix: validate commands before execution

Check validates every command before it reaches the shell. Commands targeting localhost, private IP ranges, cloud metadata endpoints, and internal services are blocked automatically.

# Check blocks internal targets $ check curl http://169.254.169.254/latest/meta-data/ invalid $ check curl http://localhost:8080/debug/vars invalid $ check curl http://10.0.0.1/admin invalid # Check allows legitimate targets $ check curl https://api.stripe.com/v1/charges runnable
npx @golproductions/check --install your_key

120 free checks. Install in 30 seconds.

$0.0068 AUD per check. No subscription. Credits never expire.

Get started

Frequently asked questions

Why do AI agents target internal endpoints?

LLMs are trained on infrastructure documentation and know about metadata endpoints, private IPs, and internal services. When given tasks involving network access, they generate commands targeting these endpoints because they're relevant — not because they're malicious.

What internal targets does Check block?

Localhost, private IPv4 ranges (10.x, 172.16.x, 192.168.x), cloud metadata endpoints (169.254.169.254), IPv6 private addresses, and DNS rebinding domains that resolve to internal IPs.

Does Check block all internal network access?

Check validates commands before execution. Commands targeting internal or private addresses are flagged as invalid. Commands targeting legitimate public endpoints are allowed through.