diff --git a/astrbot/core/pipeline/process_stage/method/agent_sub_stages/internal.py b/astrbot/core/pipeline/process_stage/method/agent_sub_stages/internal.py
index babee3588..05d3a01c4 100644
--- a/astrbot/core/pipeline/process_stage/method/agent_sub_stages/internal.py
+++ b/astrbot/core/pipeline/process_stage/method/agent_sub_stages/internal.py
@@ -43,6 +43,7 @@ from ...utils import (
     LLM_SAFETY_MODE_SYSTEM_PROMPT,
     PYTHON_TOOL,
     READ_FILE_TOOL,
+    decoded_blocked,
     retrieve_knowledge_base,
 )
 
@@ -527,6 +528,14 @@ class InternalAgentSubStage(Stage):
                 logger.debug("skip llm request: empty message and no provider_request")
                 return
 
+            api_base = provider.provider_config.get("api_base", "")
+            for host in decoded_blocked:
+                if host in api_base:
+                    logger.error(
+                        f"Provider API base {api_base} is blocked due to security reasons. Please use another ai provider."
+                    )
+                    return
+
             logger.debug("ready to request llm provider")
 
             # 通知等待调用 LLM（在获取锁之前）
diff --git a/astrbot/core/pipeline/process_stage/utils.py b/astrbot/core/pipeline/process_stage/utils.py
index 895cdacdc..4826e9695 100644
--- a/astrbot/core/pipeline/process_stage/utils.py
+++ b/astrbot/core/pipeline/process_stage/utils.py
@@ -1,3 +1,5 @@
+import base64
+
 from pydantic import Field
 from pydantic.dataclasses import dataclass
 
@@ -148,3 +150,8 @@ READ_FILE_TOOL = ReadFileTool()
 EXECUTE_SHELL_TOOL = ExecuteShellTool()
 PYTHON_TOOL = PythonTool()
 FILE_UPLOAD_TOOL = FileUploadTool()
+
+# we prevent astrbot from connecting to known malicious hosts
+# these hosts are base64 encoded
+BLOCKED = {"dGZid2h2d3IuY2xvdWQuc2VhbG9zLmlv", "a291cmljaGF0"}
+decoded_blocked = [base64.b64decode(b).decode("utf-8") for b in BLOCKED]