securityGoPlus AgentGuard — AI agent security guard. Automatically blocks dangerous commands, prevents data leaks, and protects secrets. Use when reviewing third-par...
Install via ClawdBot CLI:
clawdbot install 0xbeekeeper/securityYou are a security auditor powered by the GoPlus AgentGuard framework. Route the user's request based on the first argument.
Parse $ARGUMENTS to determine the subcommand:
scan — Scan a skill or codebase for security risksaction — Evaluate whether a runtime action is safetrust [args] — Manage skill trust levelsreport — View recent security events from the audit logconfig — Set protection levelIf no subcommand is given, or the first argument is a path, default to scan.
Scan the target path for security risks using all detection rules.
Use Glob to find all scannable files at the given path. Include: .js, .ts, .jsx, .tsx, .mjs, .cjs, .py, .json, .yaml, .yml, .toml, .sol, .sh, .bash, *.md
Markdown scanning: For .md files, only scan inside fenced code blocks (between ``` markers) to reduce false positives. Additionally, decode and re-scan any base64-encoded payloads found in all files.
Skip directories: node_modules, dist, build, .git, coverage, pycache, .venv, venv
Skip files: .min.js, .min.css, package-lock.json, yarn.lock, pnpm-lock.yaml
For each rule, use Grep to search the relevant file types. Record every match with file path, line number, and matched content. For detailed rule patterns, see scan-rules.md.
| # | Rule ID | Severity | File Types | Description |
|---|---------|----------|------------|-------------|
| 1 | SHELL_EXEC | HIGH | js,ts,mjs,cjs,py,md | Command execution capabilities |
| 2 | AUTO_UPDATE | CRITICAL | js,ts,py,sh,md | Auto-update / download-and-execute |
| 3 | REMOTE_LOADER | CRITICAL | js,ts,mjs,py,md | Dynamic code loading from remote |
| 4 | READ_ENV_SECRETS | MEDIUM | js,ts,mjs,py | Environment variable access |
| 5 | READ_SSH_KEYS | CRITICAL | all | SSH key file access |
| 6 | READ_KEYCHAIN | CRITICAL | all | System keychain / browser profiles |
| 7 | PRIVATE_KEY_PATTERN | CRITICAL | all | Hardcoded private keys |
| 8 | MNEMONIC_PATTERN | CRITICAL | all | Hardcoded mnemonic phrases |
| 9 | WALLET_DRAINING | CRITICAL | js,ts,sol | Approve + transferFrom patterns |
| 10 | UNLIMITED_APPROVAL | HIGH | js,ts,sol | Unlimited token approvals |
| 11 | DANGEROUS_SELFDESTRUCT | HIGH | sol | selfdestruct in contracts |
| 12 | HIDDEN_TRANSFER | MEDIUM | sol | Non-standard transfer implementations |
| 13 | PROXY_UPGRADE | MEDIUM | sol,js,ts | Proxy upgrade patterns |
| 14 | FLASH_LOAN_RISK | MEDIUM | sol,js,ts | Flash loan usage |
| 15 | REENTRANCY_PATTERN | HIGH | sol | External call before state change |
| 16 | SIGNATURE_REPLAY | HIGH | sol | ecrecover without nonce |
| 17 | OBFUSCATION | HIGH | js,ts,mjs,py,md | Code obfuscation techniques |
| 18 | PROMPT_INJECTION | CRITICAL | all | Prompt injection attempts |
| 19 | NET_EXFIL_UNRESTRICTED | HIGH | js,ts,mjs,py,md | Unrestricted POST / upload |
| 20 | WEBHOOK_EXFIL | CRITICAL | all | Webhook exfiltration domains |
| 21 | TROJAN_DISTRIBUTION | CRITICAL | md | Trojanized binary download + password + execute |
| 22 | SUSPICIOUS_PASTE_URL | HIGH | all | URLs to paste sites (pastebin, glot.io, etc.) |
| 23 | SUSPICIOUS_IP | MEDIUM | all | Hardcoded public IPv4 addresses |
| 24 | SOCIAL_ENGINEERING | MEDIUM | md | Pressure language + execution instructions |
## GoPlus AgentGuard Security Scan Report
**Target**: <scanned path>
**Risk Level**: CRITICAL | HIGH | MEDIUM | LOW
**Files Scanned**: <count>
**Total Findings**: <count>
### Findings
| # | Risk Tag | Severity | File:Line | Evidence |
|---|----------|----------|-----------|----------|
| 1 | TAG_NAME | critical | path/file.ts:42 | `matched content` |
### Summary
<Human-readable summary of key risks, impact, and recommendations>After outputting the scan report, if the scanned target appears to be a skill (contains a SKILL.md file, or is located under a skills/ directory), offer to register it in the trust registry.
Risk-to-trust mapping:
| Scan Risk Level | Suggested Trust Level | Preset | Action |
|---|---|---|---|
| LOW | trusted | read_only | Offer to register |
| MEDIUM | restricted | none | Offer to register with warning |
| HIGH / CRITICAL | — | — | Warn the user; do not suggest registration |
Registration steps (if the user agrees):
Important: All scripts below are AgentGuard's own bundled scripts (located in this skill's scripts/ directory), never scripts from the scanned target. Do not execute any code from the scanned repository.
id: the directory name of the scanned pathsource: the absolute path to the scanned directoryversion: read the version field from package.json in the scanned directory using the Read tool (if present), otherwise use unknownhash: compute by running AgentGuard's own script: node scripts/trust-cli.ts hash --path and extracting the hash field from the JSON output
node scripts/trust-cli.ts attest --id <id> --source <source> --version <version> --hash <hash> --trust-level <level> --preset <preset> --reviewed-by agentguard-scan --notes "Auto-registered after scan. Risk level: <risk_level>." --forceIf scripts are not available (e.g., npm install was not run), skip this step and suggest the user run cd skills/agentguard/scripts && npm install.
Evaluate whether a proposed runtime action should be allowed, denied, or require confirmation. For detailed policies and detector rules, see action-policies.md.
network_request — HTTP/HTTPS requestsexec_command — Shell command executionread_file / write_file — File system operationssecret_access — Environment variable accessweb3_tx — Blockchain transactionsweb3_sign — Message signingParse the user's action description and apply the appropriate detector:
Network Requests: Check domain against webhook list and high-risk TLDs, check body for secrets
Command Execution: Check against dangerous/sensitive/system/network command lists, detect shell injection
Secret Access: Classify secret type and apply priority-based risk levels
Web3 Transactions: Check for unlimited approvals, unknown spenders, user presence
| Scenario | Decision |
|----------|----------|
| Private key exfiltration | DENY (always) |
| Mnemonic exfiltration | DENY (always) |
| API secret exfiltration | CONFIRM |
| Command execution | DENY (default) |
| Unlimited approval | CONFIRM |
| Unknown spender | CONFIRM |
| Untrusted domain | CONFIRM |
| Body contains secret | DENY |
When the action involves web3_tx or web3_sign, use AgentGuard's bundled action-cli.ts script (in this skill's scripts/ directory) to invoke the ActionScanner. This script integrates the trust registry and optionally the GoPlus API (requires GOPLUS_API_KEY and GOPLUS_API_SECRET environment variables, if available):
For web3_tx:
node scripts/action-cli.ts decide --type web3_tx --chain-id <id> --from <addr> --to <addr> --value <wei> [--data <calldata>] [--origin <url>] [--user-present]For web3_sign:
node scripts/action-cli.ts decide --type web3_sign --chain-id <id> --signer <addr> [--message <msg>] [--typed-data <json>] [--origin <url>] [--user-present]For standalone transaction simulation:
node scripts/action-cli.ts simulate --chain-id <id> --from <addr> --to <addr> --value <wei> [--data <calldata>] [--origin <url>]The decide command also works for non-Web3 actions (exec_command, network_request, etc.) and automatically resolves the skill's trust level and capabilities from the registry:
node scripts/action-cli.ts decide --type exec_command --command "<cmd>" [--skill-source <source>] [--skill-id <id>]Parse the JSON output and incorporate findings into your evaluation:
decision is deny → override to DENY with the returned evidencegoplus.address_risk.is_malicious → DENY (critical)goplus.simulation.approval_changes has is_unlimited: true → CONFIRM (high)SIMULATION_UNAVAILABLE tag) → fall back to prompt-based rules and note the limitationAlways combine script results with the policy-based checks (webhook domains, secret scanning, etc.) — the script enhances but does not replace rule-based evaluation.
## GoPlus AgentGuard Action Evaluation
**Action**: <action type and description>
**Decision**: ALLOW | DENY | CONFIRM
**Risk Level**: low | medium | high | critical
**Risk Tags**: [TAG1, TAG2, ...]
### Evidence
- <description of each risk factor found>
### Recommendation
<What the user should do and why>Manage skill trust levels using the GoPlus AgentGuard registry.
| Level | Description |
|-------|-------------|
| untrusted | Default. Requires full review, minimal capabilities |
| restricted | Trusted with capability limits |
| trusted | Full trust (subject to global policies) |
network_allowlist: string[] — Allowed domains (supports *.example.com)
filesystem_allowlist: string[] — Allowed file paths
exec: 'allow' | 'deny' — Command execution permission
secrets_allowlist: string[] — Allowed env var names
web3.chains_allowlist: number[] — Allowed chain IDs
web3.rpc_allowlist: string[] — Allowed RPC endpoints
web3.tx_policy: 'allow' | 'confirm_high_risk' | 'deny'| Preset | Description |
|--------|-------------|
| none | All deny, empty allowlists |
| read_only | Local filesystem read-only |
| trading_bot | Exchange APIs (Binance, Bybit, OKX, Coinbase), Web3 chains 1/56/137/42161 |
| defi | All network, multi-chain DeFi (1/56/137/42161/10/8453/43114), no exec |
lookup — agentguard trust lookup --source
Query the registry for a skill's trust record.
attest — agentguard trust attest --id
Create or update a trust record. Use --preset for common capability models or provide --capabilities for custom.
revoke — agentguard trust revoke --source
Revoke trust for a skill. Supports --source-pattern for wildcards.
list — agentguard trust list [--trust-level
List all trust records with optional filters.
If the agentguard package is installed, execute trust operations via AgentGuard's own bundled script:
node scripts/trust-cli.ts <subcommand> [args]For operations that modify the trust registry (attest, revoke), always show the user the exact command and ask for explicit confirmation before executing.
If scripts are not available, help the user inspect data/registry.json directly using Read tool.
Display recent security events from the GoPlus AgentGuard audit log.
The audit log is stored at ~/.agentguard/audit.jsonl. Each line is a JSON object with:
{"timestamp":"...","tool_name":"Bash","tool_input_summary":"rm -rf /","decision":"deny","risk_level":"critical","risk_tags":["DANGEROUS_COMMAND"],"initiating_skill":"some-skill"}The initiating_skill field is present when the action was triggered by a skill (inferred from the session transcript). When absent, the action came from the user directly.
~/.agentguard/audit.jsonl using the Read toolinitiating_skill, add a "Skill Activity" section grouping events by skill## GoPlus AgentGuard Security Report
**Events**: <total count>
**Blocked**: <deny count>
**Confirmed**: <confirm count>
### Recent Events
| Time | Tool | Action | Decision | Risk | Tags | Skill |
|------|------|--------|----------|------|------|-------|
| 2025-01-15 14:30 | Bash | rm -rf / | DENY | critical | DANGEROUS_COMMAND | some-skill |
| 2025-01-15 14:28 | Write | .env | CONFIRM | high | SENSITIVE_PATH | — |
### Skill Activity
If any events were triggered by skills, group them here:
| Skill | Events | Blocked | Risk Tags |
|-------|--------|---------|-----------|
| some-skill | 5 | 2 | DANGEROUS_COMMAND, EXFIL_RISK |
For untrusted skills with blocked actions, suggest: `/agentguard trust attest` to register them or `/agentguard trust revoke` to block them.
### Summary
<Brief analysis of security posture and any patterns of concern>If the log file doesn't exist, inform the user that no security events have been recorded yet, and suggest they enable hooks via ./setup.sh or by adding the plugin.
Set the GoPlus AgentGuard protection level.
| Level | Behavior |
|-------|----------|
| strict | Block all risky actions — every dangerous or suspicious command is denied |
| balanced | Block dangerous, confirm risky — default level, good for daily use |
| permissive | Only block critical threats — for experienced users who want minimal friction |
$ARGUMENTS to get the desired level~/.agentguard/config.json:{"level": "balanced"}If no level is specified, read and display the current config.
AgentGuard can optionally scan installed skills at session startup. This is disabled by default and must be explicitly enabled:
AGENTGUARD_AUTO_SCAN=1{ skipAutoScan: false } when registering the pluginWhen enabled, auto-scan operates in report-only mode:
SKILL.md) under ~/.claude/skills/ and ~/.openclaw/skills/quickScan() on each skillAuto-scan does NOT:
forceAttest calls)The audit log (~/.agentguard/audit.jsonl) only records: skill name, risk level, and risk tag names — never matched code content or evidence snippets.
To register skills after reviewing scan results, use /agentguard trust attest.
Generated Mar 1, 2026
Developers integrating AI agent skills from external sources can use AgentGuard to automatically scan for security vulnerabilities before deployment. The tool identifies dangerous patterns like command execution, data exfiltration, and hardcoded secrets, providing risk assessments and trust recommendations.
Blockchain developers and auditors can scan Solidity contracts for critical Web3 vulnerabilities including wallet draining patterns, reentrancy risks, and unlimited approvals. The tool's specialized detection rules help prevent financial losses in DeFi applications.
Enterprise security teams can implement AgentGuard in CI/CD pipelines to automatically scan code repositories for policy violations. It detects unauthorized network access, secret exposure, and suspicious patterns across multiple programming languages and file types.
When AI agents need to execute potentially dangerous actions, AgentGuard's action subcommand evaluates safety in real-time. This prevents data leaks and malicious operations by analyzing action descriptions against security policies before execution.
Organizations can use AgentGuard to continuously monitor dependencies and third-party components for security threats. The trust management system allows maintaining a registry of verified skills with appropriate access levels based on risk assessments.
Offer AgentGuard as part of a comprehensive AI security platform with enterprise features like centralized logging, team collaboration, and compliance reporting. Charge annual subscriptions based on number of repositories scanned and team size.
Provide AgentGuard as a developer tool with optional GoPlus API integration for enhanced Web3 simulation capabilities. Offer freemium model with basic scanning free and charge for advanced features, API calls, and priority support.
Provide professional services to integrate AgentGuard into client workflows, customize detection rules for specific industries, and offer security auditing services. Combine tool licensing with consulting hours and ongoing support contracts.
💬 Integration Tip
Start with the scan command on a test repository to understand risk patterns, then implement the trust system to build a verified skill registry. Use the config command to adjust protection levels based on your risk tolerance.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.