🛡️ AgentVet

> Security scanner for AI agent skills, configs, and MCP tools. Vet before you trust.

![License: MIT](https://opensource.org/licenses/MIT)

---

Why AgentVet?

AI agents like Claude Code, Devin, Cursor, and Clawdbot are increasingly using external skills, plugins, and MCP tools. These files are often:

- Unsigned — no way to verify authenticity
- User-contributed — anyone can publish to skill marketplaces
- Highly privileged — agents can execute code, access files, and make API calls

A single malicious skill can exfiltrate credentials, install backdoors, or hijack your agent's actions.

AgentVet scans these files before they can do damage.

---

Features

- 🔍 Credential Detection — Finds hardcoded API keys, tokens, and secrets
- 🌐 Suspicious URL Detection — Flags webhook.site, ngrok, pastebin, and other exfiltration endpoints
- ⚠️ Dangerous Command Patterns — Detects rm -rf, curl | bash, eval(), and similar risks
- 📁 Permission Analysis — Identifies overly permissive file access patterns
- 🔐 File Permission Checks — Warns when sensitive files have insecure permissions
- 🦠 YARA Integration — Advanced threat detection with AI agent-specific YARA rules
- 📦 Dependency Scanning — npm audit and pip-audit integration for vulnerability detection
- 🧠 LLM Intent Analysis — AI-powered detection of malicious instructions in agent configs

---

Installation

``bash npm install -g @agentvet/cli`

Or run directly with npx:

`bash npx @agentvet/cli scan ./my-skills`

---

`Usage`

`$3`

`bash agentvet scan ./skills/my-skill`

`$3`

`bash agentvet scan https://github.com/user/agent-config`

`$3`

`bash

`Human-readable (default)`


agentvet scan ./skills
JSON output for CI/CD

agentvet scan ./skills --format json --output report.json
Quiet mode (summary only)

agentvet scan ./skills --quiet


$3
AgentVet scans for vulnerable dependencies using npm audit and pip-audit:

`bash

`Dependency scanning enabled by default`


agentvet scan ./my-project
Disable dependency scanning

agentvet scan ./my-project --no-deps

Supports: - npm: Scanspackage-lock.jsonfor known vulnerabilities - pip: Scansrequirements.txt using pip-audit (requires pip install pip-audit)

`$3`

Use AI to analyze agent instructions for malicious intent:

`bash

`Enable LLM analysis (requires API key)`


export OPENAI_API_KEY=sk-...
agentvet scan ./skills --llm
Or use Anthropic

export ANTHROPIC_API_KEY=sk-ant-...
agentvet scan ./skills --llm --llm-provider anthropic
Specify model

agentvet scan ./skills --llm --llm-model gpt-4o


Detects:
- Prompt injection — Attempts to override system instructions
- Hidden commands — Secret instructions triggered by conditions
- Data exfiltration — Instructions to leak data externally
- Deceptive behavior — Instructions to hide actions or lie
$3
AgentVet includes built-in YARA rules for AI agent threats:

`bash

`YARA enabled by default`


agentvet scan ./skills
Disable YARA scanning

agentvet scan ./skills --no-yara
Use custom YARA rules

agentvet scan ./skills --yara-rules ./my-rules

YARA works in two modes: - yara-cli: Uses the nativeyaracommand (fastest, requires yara installed) - js-fallback: Pure JavaScript implementation (works everywhere, no dependencies)

`$3`

Create .agentvetignore in your project root to exclude files:

`gitignore

`Ignore test fixtures`


test/fixtures/
Ignore documentation with example patterns

docs/*.md
Ignore backup files

*.bak
Ignore specific security tool that contains patterns

scripts/security-scanner.js

Supports gitignore-style patterns: -* matches anything except /-** matches everything including /-/patternanchors to root -pattern/ matches directories

`$3`

| Code | Meaning | |------|---------| | 0 | No issues found (or warnings only) | | 1 | Critical or high severity issues found |

---

`What It Scans`

| Target | Description | |--------|-------------| |SKILL.md / skill.md| Clawdbot skill definitions | |AGENTS.md| Agent instruction files | |mcp.json / mcp-config.json| MCP tool configurations | |claude_desktop_config.json| Claude Desktop MCP config | |cline_mcp_settings.json| Cline MCP settings | |.cursor-mcp.json| Cursor MCP config | |.js, .ts, *.py| Scripts referenced by skills | |.env, config.json | Configuration files |

---

`Detection Rules`

`$3`


- Hardcoded AWS keys, API tokens, private keys
- Known malware patterns (YARA-based)
- Data exfiltration URLs (webhook.site, requestbin, etc.)
- MCP: Unrestricted command execution (

bash, sh

)
- MCP: Shell injection risks (

-c

 flag patterns)
- MCP: Hardcoded credentials in tool configs
- MCP: Root filesystem access
$3

- Dangerous shell commands (

rm -rf /, curl | bash

)
- Eval/exec patterns in scripts
- Overly broad file access permissions
- Insecure file permissions on credential files
- MCP: Tunnel services (ngrok, localtunnel)
- MCP: Raw IP address endpoints
- MCP: Unrestricted filesystem/network access
- MCP: Environment variable exposure
$3

- Unusual network endpoints
- Deprecated API usage
$3

- Prompt Injection — System override attempts, jailbreak patterns
- Agent Hijacking — Hidden instructions, behavior modification
- Credential Exfiltration — Env leaks, file theft to external endpoints
- Backdoors — Reverse shells, crypto miners, remote access
- Supply Chain — Package hijacking, postinstall attacks
- Obfuscation — Base64/hex encoded payloads
- Privilege Escalation — sudo abuse, setuid patterns
---
CI/CD Integration
$3
Use the official AgentVet action:

`yaml name: AgentVet Security Scan on: [push, pull_request]

jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run AgentVet uses: taku-tez/agentvet@v1 with: path: '.' severity: 'warning' fail-on-critical: 'true'`

`$3`

`yaml name: AgentVet Security Scan on: [push, pull_request]

jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run AgentVet run: npx agentvet scan . --format json --output agentvet-report.json - name: Upload Report uses: actions/upload-artifact@v4 with: name: agentvet-report path: agentvet-report.json`

`$3`

`bash

`.git/hooks/pre-commit`


npx agentvet scan . --quiet || exit 1


---
Contributing
Contributions welcome! See CONTRIBUTING.md for guidelines.
$3

Rules are defined in src/rules/. Each rule exports:

`javascript module.exports = { id: 'credential-aws-key', severity: 'critical', description: 'Hardcoded AWS access key', pattern: /AKIA[0-9A-Z]{16}/g, recommendation: 'Use environment variables or a secrets manager' };`

---

`License`

MIT © AgentVet Contributors

---

Don't let rogue skills hijack your AI agent. Vet first. 🛡️

`Permission Manifest & Trust Chain`

AgentVet supports Permission Manifests - declarative files that specify what permissions a skill requires. This enables:

- Transparency: Users know exactly what a skill will access before installing - Verification: AgentVet can compare declared vs actual permissions - Trust Chains: Track who created, audited, and verified a skill

`$3`

`bash

`Generate manifest from detected usage`


agentvet manifest init ./my-skill
Validate manifest schema

agentvet manifest validate ./my-skill
Verify skill matches its manifest (CI-friendly)

agentvet manifest verify ./my-skill
Show trust chain

agentvet manifest trust ./my-skill
Add audit entry (after code review)

agentvet manifest audit ./my-skill --auditor "org:mycompany" --notes "Reviewed 2026-01-31"
Show example manifest

agentvet manifest example

$3

`json { "version": "1.0", "name": "my-skill", "permissions": { "exec": ["git", "npm"], "network": ["api.github.com", "*.openai.com"], "files": ["read:./", "write:./output"], "secrets": ["GITHUB_TOKEN"], "elevated": false }, "trust": { "author": "github:username", "audits": [ { "auditor": "org:acme-corp", "date": "2026-01-31", "contentHash": "sha256:...", "scope": "full" } ], "verified": true } }``

$3

| Level | Description |
|-------|-------------|
| Self | Self-declared, no external audit |
| Community | Audited by community member |
| Organization | Audited by trusted organization |
| Registry | Verified by official registry (ClawdHub) |
| Official | Official skill from OpenClaw team |

🛡️ AgentVet

> Security scanner for AI agent skills, configs, and MCP tools. Vet before you trust.

![License: MIT](https://opensource.org/licenses/MIT)

---

Why AgentVet?

AI agents like Claude Code, Devin, Cursor, and Clawdbot are increasingly using external skills, plugins, and MCP tools. These files are often:

A single malicious skill can exfiltrate credentials, install backdoors, or hijack your agent's actions.

AgentVet scans these files before they can do damage.

---

Features

---

Installation

``bash npm install -g @agentvet/cli`

Or run directly with npx:

`bash npx @agentvet/cli scan ./my-skills`

---

`Usage`

`$3`

`bash agentvet scan ./skills/my-skill`

`$3`

`bash agentvet scan https://github.com/user/agent-config`

`$3`

`bash

`Human-readable (default)`


agentvet scan ./skills
JSON output for CI/CD

agentvet scan ./skills --format json --output report.json
Quiet mode (summary only)

agentvet scan ./skills --quiet


$3
AgentVet scans for vulnerable dependencies using npm audit and pip-audit:

`bash

`Dependency scanning enabled by default`


agentvet scan ./my-project
Disable dependency scanning

agentvet scan ./my-project --no-deps

Supports: - npm: Scanspackage-lock.jsonfor known vulnerabilities - pip: Scansrequirements.txt using pip-audit (requires pip install pip-audit)

`$3`

Use AI to analyze agent instructions for malicious intent:

`bash

`Enable LLM analysis (requires API key)`


export OPENAI_API_KEY=sk-...
agentvet scan ./skills --llm
Or use Anthropic

export ANTHROPIC_API_KEY=sk-ant-...
agentvet scan ./skills --llm --llm-provider anthropic
Specify model

agentvet scan ./skills --llm --llm-model gpt-4o


Detects:
- Prompt injection — Attempts to override system instructions
- Hidden commands — Secret instructions triggered by conditions
- Data exfiltration — Instructions to leak data externally
- Deceptive behavior — Instructions to hide actions or lie
$3
AgentVet includes built-in YARA rules for AI agent threats:

`bash

`YARA enabled by default`


agentvet scan ./skills
Disable YARA scanning

agentvet scan ./skills --no-yara
Use custom YARA rules

agentvet scan ./skills --yara-rules ./my-rules

YARA works in two modes: - yara-cli: Uses the nativeyaracommand (fastest, requires yara installed) - js-fallback: Pure JavaScript implementation (works everywhere, no dependencies)

`$3`

Create .agentvetignore in your project root to exclude files:

`gitignore

`Ignore test fixtures`


test/fixtures/
Ignore documentation with example patterns

docs/*.md
Ignore backup files

*.bak
Ignore specific security tool that contains patterns

scripts/security-scanner.js

Supports gitignore-style patterns: -* matches anything except /-** matches everything including /-/patternanchors to root -pattern/ matches directories

`$3`

| Code | Meaning | |------|---------| | 0 | No issues found (or warnings only) | | 1 | Critical or high severity issues found |

---

`What It Scans`

---

`Detection Rules`

`$3`


- Hardcoded AWS keys, API tokens, private keys
- Known malware patterns (YARA-based)
- Data exfiltration URLs (webhook.site, requestbin, etc.)
- MCP: Unrestricted command execution (

bash, sh

)
- MCP: Shell injection risks (

-c

 flag patterns)
- MCP: Hardcoded credentials in tool configs
- MCP: Root filesystem access
$3

- Dangerous shell commands (

rm -rf /, curl | bash

)
- Eval/exec patterns in scripts
- Overly broad file access permissions
- Insecure file permissions on credential files
- MCP: Tunnel services (ngrok, localtunnel)
- MCP: Raw IP address endpoints
- MCP: Unrestricted filesystem/network access
- MCP: Environment variable exposure
$3

- Unusual network endpoints
- Deprecated API usage
$3

- Prompt Injection — System override attempts, jailbreak patterns
- Agent Hijacking — Hidden instructions, behavior modification
- Credential Exfiltration — Env leaks, file theft to external endpoints
- Backdoors — Reverse shells, crypto miners, remote access
- Supply Chain — Package hijacking, postinstall attacks
- Obfuscation — Base64/hex encoded payloads
- Privilege Escalation — sudo abuse, setuid patterns
---
CI/CD Integration
$3
Use the official AgentVet action:

`yaml name: AgentVet Security Scan on: [push, pull_request]

jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run AgentVet uses: taku-tez/agentvet@v1 with: path: '.' severity: 'warning' fail-on-critical: 'true'`

`$3`

`yaml name: AgentVet Security Scan on: [push, pull_request]

`$3`

`bash

`.git/hooks/pre-commit`


npx agentvet scan . --quiet || exit 1


---
Contributing
Contributions welcome! See CONTRIBUTING.md for guidelines.
$3

Rules are defined in src/rules/. Each rule exports:

---

`License`

---

Don't let rogue skills hijack your AI agent. Vet first. 🛡️

`Permission Manifest & Trust Chain`

AgentVet supports Permission Manifests - declarative files that specify what permissions a skill requires. This enables:

`$3`

`bash

`Generate manifest from detected usage`


agentvet manifest init ./my-skill
Validate manifest schema

agentvet manifest validate ./my-skill
Verify skill matches its manifest (CI-friendly)

agentvet manifest verify ./my-skill
Show trust chain

agentvet manifest trust ./my-skill
Add audit entry (after code review)

agentvet manifest audit ./my-skill --auditor "org:mycompany" --notes "Reviewed 2026-01-31"
Show example manifest

agentvet manifest example

$3

$3