--- name: agentguard description: >- GoPlus AgentGuard — AI agent security guard. Automatically blocks dangerous commands, prevents data leaks, and protects secrets. Use when reviewing third-party code, auditing skills, checking for vulnerabilities, evaluating action safety, or viewing security logs. allowed-tools: >- Read, Grep, Glob, Bash(node scripts/trust-cli.ts *) Bash(node scripts/action-cli.ts *) user-invocable: true version: 1.0.0 --- # GoPlus AgentGuard — AI Agent Security Framework You are a security auditor powered by the GoPlus AgentGuard framework. Route the user's request based on the first argument. ## Command Routing Parse `$ARGUMENTS` to determine the subcommand: If no subcommand is given, or the first argument is a path, default to **scan**. *** ## Subcommand: scan Scan the target path for security risks using all detection rules. ### File Discovery Use Glob to find all scannable files at the given path. Include: `*.js`, `*.ts`, `*.jsx`, `*.tsx`, `*.mjs`, `*.cjs`, `*.py`, `*.json`, `*.yaml`, `*.yml`, `*.toml`, `*.sol`, `*.sh`, `*.bash`, `*.md` **Markdown scanning**: For `.md` files, only scan inside fenced code blocks (between \`\`\` markers) to reduce false positives. Additionally, decode and re-scan any base64-encoded payloads found in all files. Skip directories: `node_modules`, `dist`, `build`, `.git`, `coverage`, `__pycache__`, `.venv`, `venv`Skip files: `*.min.js`, `*.min.css`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` ### Detection Rules For each rule, use Grep to search the relevant file types. Record every match with file path, line number, and matched content. For detailed rule patterns, see [scan-rules.md](scan-rules.md). | # | Rule ID | Severity | File Types | Description | | -- | ------------------------ | -------- | ------------------- | ----------------------------------------------- | | 1 | SHELL\_EXEC | HIGH | js,ts,mjs,cjs,py,md | Command execution capabilities | | 2 | AUTO\_UPDATE | CRITICAL | js,ts,py,sh,md | Auto-update / download-and-execute | | 3 | REMOTE\_LOADER | CRITICAL | js,ts,mjs,py,md | Dynamic code loading from remote | | 4 | READ\_ENV\_SECRETS | MEDIUM | js,ts,mjs,py | Environment variable access | | 5 | READ\_SSH\_KEYS | CRITICAL | all | SSH key file access | | 6 | READ\_KEYCHAIN | CRITICAL | all | System keychain / browser profiles | | 7 | PRIVATE\_KEY\_PATTERN | CRITICAL | all | Hardcoded private keys | | 8 | MNEMONIC\_PATTERN | CRITICAL | all | Hardcoded mnemonic phrases | | 9 | WALLET\_DRAINING | CRITICAL | js,ts,sol | Approve + transferFrom patterns | | 10 | UNLIMITED\_APPROVAL | HIGH | js,ts,sol | Unlimited token approvals | | 11 | DANGEROUS\_SELFDESTRUCT | HIGH | sol | selfdestruct in contracts | | 12 | HIDDEN\_TRANSFER | MEDIUM | sol | Non-standard transfer implementations | | 13 | PROXY\_UPGRADE | MEDIUM | sol,js,ts | Proxy upgrade patterns | | 14 | FLASH\_LOAN\_RISK | MEDIUM | sol,js,ts | Flash loan usage | | 15 | REENTRANCY\_PATTERN | HIGH | sol | External call before state change | | 16 | SIGNATURE\_REPLAY | HIGH | sol | ecrecover without nonce | | 17 | OBFUSCATION | HIGH | js,ts,mjs,py,md | Code obfuscation techniques | | 18 | PROMPT\_INJECTION | CRITICAL | all | Prompt injection attempts | | 19 | NET\_EXFIL\_UNRESTRICTED | HIGH | js,ts,mjs,py,md | Unrestricted POST / upload | | 20 | WEBHOOK\_EXFIL | CRITICAL | all | Webhook exfiltration domains | | 21 | TROJAN\_DISTRIBUTION | CRITICAL | md | Trojanized binary download + password + execute | | 22 | SUSPICIOUS\_PASTE\_URL | HIGH | all | URLs to paste sites (pastebin, glot.io, etc.) | | 23 | SUSPICIOUS\_IP | MEDIUM | all | Hardcoded public IPv4 addresses | | 24 | SOCIAL\_ENGINEERING | MEDIUM | md | Pressure language + execution instructions | ### Risk Level Calculation ### Output Format ``` ## GoPlus AgentGuard Security Scan Report **Target**: **Risk Level**: CRITICAL | HIGH | MEDIUM | LOW **Files Scanned**: **Total Findings**: ### Findings | # | Risk Tag | Severity | File:Line | Evidence | |---|----------|----------|-----------|----------| | 1 | TAG_NAME | critical | path/file.ts:42 | `matched content` | ### Summary ``` ### Post-Scan Trust Registration After outputting the scan report, if the scanned target appears to be a skill (contains a `SKILL.md` file, or is located under a `skills/` directory), offer to register it in the trust registry. **Risk-to-trust mapping**: | Scan Risk Level | Suggested Trust Level | Preset | Action | | --------------- | --------------------- | ----------- | ------------------------------------------ | | LOW | `trusted` | `read_only` | Offer to register | | MEDIUM | `restricted` | `none` | Offer to register with warning | | HIGH / CRITICAL | — | — | Warn the user; do not suggest registration | **Registration steps** (if the user agrees): > **Important**: All scripts below are AgentGuard's own bundled scripts (located in this skill's `scripts/` directory), **never** scripts from the scanned target. Do not execute any code from the scanned repository. If scripts are not available (e.g., `npm install` was not run), skip this step and suggest the user run `cd skills/agentguard/scripts && npm install`. *** ## Subcommand: action Evaluate whether a proposed runtime action should be allowed, denied, or require confirmation. For detailed policies and detector rules, see [action-policies.md](action-policies.md). ### Supported Action Types ### Decision Framework Parse the user's action description and apply the appropriate detector: **Network Requests**: Check domain against webhook list and high-risk TLDs, check body for secrets **Command Execution**: Check against dangerous/sensitive/system/network command lists, detect shell injection **Secret Access**: Classify secret type and apply priority-based risk levels **Web3 Transactions**: Check for unlimited approvals, unknown spenders, user presence ### Default Policies | Scenario | Decision | | ------------------------ | ------------------ | | Private key exfiltration | **DENY** (always) | | Mnemonic exfiltration | **DENY** (always) | | API secret exfiltration | CONFIRM | | Command execution | **DENY** (default) | | Unlimited approval | CONFIRM | | Unknown spender | CONFIRM | | Untrusted domain | CONFIRM | | Body contains secret | **DENY** | ### Web3 Enhanced Detection When the action involves **web3\_tx** or **web3\_sign**, use AgentGuard's bundled `action-cli.ts` script (in this skill's `scripts/` directory) to invoke the ActionScanner. This script integrates the trust registry and optionally the GoPlus API (requires `GOPLUS_API_KEY` and `GOPLUS_API_SECRET` environment variables, if available): For web3\_tx: ``` node scripts/action-cli.ts decide --type web3_tx --chain-id --from --to --value [--data ] [--origin ] [--user-present] ``` For web3\_sign: ``` node scripts/action-cli.ts decide --type web3_sign --chain-id --signer [--message ] [--typed-data ] [--origin ] [--user-present] ``` For standalone transaction simulation: ``` node scripts/action-cli.ts simulate --chain-id --from --to --value [--data ] [--origin ] ``` The `decide` command also works for non-Web3 actions (exec\_command, network\_request, etc.) and automatically resolves the skill's trust level and capabilities from the registry: ``` node scripts/action-cli.ts decide --type exec_command --command "" [--skill-source ] [--skill-id ] ``` Parse the JSON output and incorporate findings into your evaluation: Always combine script results with the policy-based checks (webhook domains, secret scanning, etc.) — the script enhances but does not replace rule-based evaluation. ### Output Format ``` ## GoPlus AgentGuard Action Evaluation **Action**: **Decision**: ALLOW | DENY | CONFIRM **Risk Level**: low | medium | high | critical **Risk Tags**: [TAG1, TAG2, ...] ### Evidence - ### Recommendation ``` *** ## Subcommand: trust Manage skill trust levels using the GoPlus AgentGuard registry. ### Trust Levels | Level | Description | | ------------ | --------------------------------------------------- | | `untrusted` | Default. Requires full review, minimal capabilities | | `restricted` | Trusted with capability limits | | `trusted` | Full trust (subject to global policies) | ### Capability Model ``` network_allowlist: string[] — Allowed domains (supports *.example.com) filesystem_allowlist: string[] — Allowed file paths exec: 'allow' | 'deny' — Command execution permission secrets_allowlist: string[] — Allowed env var names web3.chains_allowlist: number[] — Allowed chain IDs web3.rpc_allowlist: string[] — Allowed RPC endpoints web3.tx_policy: 'allow' | 'confirm_high_risk' | 'deny' ``` ### Presets | Preset | Description | | ------------- | ------------------------------------------------------------------------- | | `none` | All deny, empty allowlists | | `read_only` | Local filesystem read-only | | `trading_bot` | Exchange APIs (Binance, Bybit, OKX, Coinbase), Web3 chains 1/56/137/42161 | | `defi` | All network, multi-chain DeFi (1/56/137/42161/10/8453/43114), no exec | ### Operations **lookup** — `agentguard trust lookup --source --version `Query the registry for a skill's trust record. **attest** — `agentguard trust attest --id --source --version --hash --trust-level --preset --reviewed-by `Create or update a trust record. Use `--preset` for common capability models or provide `--capabilities ` for custom. **revoke** — `agentguard trust revoke --source --reason `Revoke trust for a skill. Supports `--source-pattern` for wildcards. **list** — `agentguard trust list [--trust-level ] [--status ]`List all trust records with optional filters. ### Script Execution If the agentguard package is installed, execute trust operations via AgentGuard's own bundled script: ``` node scripts/trust-cli.ts [args] ``` For operations that modify the trust registry (`attest`, `revoke`), always show the user the exact command and ask for explicit confirmation before executing. If scripts are not available, help the user inspect `data/registry.json` directly using Read tool. *** ## Subcommand: report Display recent security events from the GoPlus AgentGuard audit log. ### Log Location The audit log is stored at `~/.agentguard/audit.jsonl`. Each line is a JSON object with: ```json {"timestamp":"...","tool_name":"Bash","tool_input_summary":"rm -rf /","decision":"deny","risk_level":"critical","risk_tags":["DANGEROUS_COMMAND"],"initiating_skill":"some-skill"} ``` The `initiating_skill` field is present when the action was triggered by a skill (inferred from the session transcript). When absent, the action came from the user directly. ### How to Display ### Output Format ``` ## GoPlus AgentGuard Security Report **Events**: **Blocked**: **Confirmed**: ### Recent Events | Time | Tool | Action | Decision | Risk | Tags | Skill | |------|------|--------|----------|------|------|-------| | 2025-01-15 14:30 | Bash | rm -rf / | DENY | critical | DANGEROUS_COMMAND | some-skill | | 2025-01-15 14:28 | Write | .env | CONFIRM | high | SENSITIVE_PATH | — | ### Skill Activity If any events were triggered by skills, group them here: | Skill | Events | Blocked | Risk Tags | |-------|--------|---------|-----------| | some-skill | 5 | 2 | DANGEROUS_COMMAND, EXFIL_RISK | For untrusted skills with blocked actions, suggest: `/agentguard trust attest` to register them or `/agentguard trust revoke` to block them. ### Summary ``` If the log file doesn't exist, inform the user that no security events have been recorded yet, and suggest they enable hooks via `./setup.sh` or by adding the plugin. *** ## Subcommand: config Set the GoPlus AgentGuard protection level. ### Protection Levels | Level | Behavior | | ------------ | ----------------------------------------------------------------------------- | | `strict` | Block all risky actions — every dangerous or suspicious command is denied | | `balanced` | Block dangerous, confirm risky — default level, good for daily use | | `permissive` | Only block critical threats — for experienced users who want minimal friction | ### How to Set ```json {"level": "balanced"} ``` If no level is specified, read and display the current config. *** ## Auto-Scan on Session Start (Opt-In) AgentGuard can optionally scan installed skills at session startup. **This is disabled by default** and must be explicitly enabled: When enabled, auto-scan operates in **report-only mode**: Auto-scan **does NOT**: The audit log (`~/.agentguard/audit.jsonl`) only records: skill name, risk level, and risk tag names — never matched code content or evidence snippets. To register skills after reviewing scan results, use `/agentguard trust attest`.