Audit AI agent skills for security vulnerabilities. Use when scanning installed skills against the OWASP Agentic Skills Top 10, checking skills before runnin...
---
name: agentsec
description: >
Audit AI agent skills for security vulnerabilities. Use when scanning
installed skills against the OWASP Agentic Skills Top 10, checking skills
before running them, gating CI/CD on skill safety, or generating audit
reports (text, JSON, SARIF, HTML) for stakeholders.
version: 0.4.0
license: MIT
homepage: https://agentsec.sh
author: semiotic-ai
permissions:
- filesystem:read
metadata:
agentsec:
profile: meta
openclaw:
emoji: "🛡️"
homepage: https://agentsec.sh
requires:
anyBins:
- agentsec
- npx
- bunx
install:
- kind: node
package: agentsec
bins:
- agentsec
label: Install agentsec (npm)
---
# agentsec
`agentsec` is a security auditing CLI for AI agent skills. It scans every skill installed in a project against the OWASP Agentic Skills Top 10 and reports vulnerabilities, misconfigurations, and governance gaps.
## When to Use
Use `agentsec` when the user asks to:
- Audit, scan, or check agent skills for security issues
- Verify installed skills are safe before running them
- Check OWASP compliance of an agent setup
- Gate a CI/CD pipeline on skill security
- Generate a security report for stakeholders
## Quick Start
The fastest path to a result — no install, no flags:
```bash
npx agentsec
```
This scans every default skills directory on the machine — grouped by platform — plus any `./skills` folder in the current project (up to two levels deep), and audits each installed skill against the OWASP Agentic Skills Top 10. Always try this first.
### Auto-discovery locations
agentsec is agent-platform agnostic — every platform listed below ships skills in the [agentskills.io](https://agentskills.io/specification) `SKILL.md` format and is auto-discovered.
| Platform | Paths scanned |
| ---------------------- | ------------------------------------------------------------------------------------------------------------------------- |
| **Claude Code** | `~/.claude/skills`, `./.claude/skills`, `~/.claude/plugins/*/skills/*`, `~/.claude/commands`, `./.claude/commands` |
| **OpenClaw / ClawHub** | `~/.openclaw/workspace/skills`, `~/.openclaw/workspace-*/skills` (profiles via `OPENCLAW_PROFILE`), `~/.openclaw/skills` |
| **Codex / skills.sh** | `~/.agents/skills`, `./.agents/skills`, `../.agents/skills`, `/etc/codex/skills` |
| **Hermes** | `~/.hermes/skills`, `~/.hermes/skills/*` (bundled categories), `./.hermes/skills` |
| **Other** (generic) | Any `skills/` directory found within the current project, up to two levels deep |
## Core Commands
Every workflow starts from one of four commands. Run them with `npx agentsec` — no install needed.
```bash
# Full audit (scan + policy evaluation). Default command.
npx agentsec
# Scan only (no policy evaluation)
npx agentsec scan
# Generate a report from a previously saved audit JSON
npx agentsec report audit.json
# Manage and inspect policy presets
npx agentsec policy list
```
## Installation
`npx agentsec` needs no install. For repeated use, install globally:
```bash
# bun (recommended)
bun add -g agentsec
# npm
npm install -g agentsec
# pnpm
pnpm add -g agentsec
# yarn
yarn global add agentsec
```
Then drop the `npx` prefix:
```bash
agentsec
agentsec scan --path ./my-skills
```
## Flags
All flags work with any command.
| Flag | Short | Values | Default | Purpose |
| ------------ | ----- | ------------------------------- | ---------- | -------------------------------------------------------- |
| `--format` | `-f` | `text`, `json`, `sarif`, `html` | `text` | Output format |
| `--output` | `-o` | path | stdout | Write report to file |
| `--policy` | `-p` | preset name or path | `default` | Apply a policy preset |
| `--platform` | | `openclaw`, `claude`, `codex`, `hermes` | auto | Narrow to one agent platform |
| `--path` | | path | auto | Custom skill directory to scan |
| `--profile` | | `default`, `web3`, `strict` | `default` | Rule profile. `default` auto-detects Web3 skills; `web3` forces the annex on every skill |
| `--verbose` | `-v` | | off | Show detailed findings |
| `--no-color` | | | off | Disable colored output |
| `--help` | `-h` | | | Show help |
| `--version` | `-V` | | | Print version |
## Common Recipes
### Show detailed findings and remediation
```bash
npx agentsec --verbose
```
### Scan a specific directory
```bash
npx agentsec scan --path ./my-skills
```
### Target a specific agent platform
```bash
npx agentsec --platform claude
npx agentsec --platform codex
npx agentsec --platform hermes
npx agentsec --platform openclaw
```
### Audit with a strict policy and save JSON
```bash
npx agentsec --policy strict --format json --output audit.json
```
### Generate an HTML report for stakeholders
```bash
npx agentsec --format html --output report.html
```
### Generate a SARIF report for IDE / code-scanning integration
```bash
npx agentsec --format sarif --output report.sarif
```
### List available policy presets
```bash
npx agentsec policy list
```
### Inspect the rules in a preset
```bash
npx agentsec policy show strict
```
### Validate a custom policy config file
```bash
npx agentsec policy validate ./my-policy.json
```
### Replay a previous audit as an HTML report
```bash
npx agentsec report audit.json --format html --output report.html
```
## Policy Presets
| Name | Use Case |
| -------------------- | -------------------------------------------------------------------- |
| `default` | Balanced policy. Blocks critical findings. |
| `strict` | Enterprise-grade. Blocks high and critical findings, enforces tests. |
| `permissive` | Lenient. Only blocks critical CVEs. Good for development. |
| `owasp-agent-top-10` | Built directly from the OWASP Agentic Skills Top 10. |
## Configuration File
`agentsec` auto-loads `.agentsecrc`, `.agentsecrc.json`, or `agentsec.config.json` from the current directory (or any parent):
```json
{
"format": "text",
"output": null,
"policy": "strict",
"verbose": false
}
```
CLI flags always override config file values. Omit `"platform"` and `"path"` to keep the default auto-discovery behavior — agentsec will scan every known platform's default locations.
## OWASP Agentic Skills Top 10
Every audit checks all ten risk categories:
| ID | Risk |
| ----- | ------------------------------- |
| AST01 | Malicious Skills |
| AST02 | Supply Chain Compromise |
| AST03 | Over-Privileged Skills |
| AST04 | Insecure Metadata |
| AST05 | Untrusted External Instructions |
| AST06 | Weak Isolation |
| AST07 | Update Drift |
| AST08 | Poor Scanning |
| AST09 | No Governance |
| AST10 | Cross-Platform Reuse |
## AST-10 Web3 Annex (auto-detected)
Web3-touching skills are detected automatically and audited against twelve additional rules — no flag required. A skill is detected as Web3 when its manifest declares a `web3:` block, when its source imports a Web3 client library (`viem`, `ethers`, `web3`, `wagmi`, `@solana/web3.js`, `@coinbase/onchainkit`, `@privy-io`, `@biconomy`, `@zerodev`), when it references a Web3 RPC method (`eth_*`, `wallet_*`, `personal_sign`, `signTypedData`), or when it ships a `.sol` file. Detected skills are tagged `[Web3]` in the output:
```text
✔ scoped-trader v1.4.0 [Web3] C (62)
✔ helpful-summarizer v1.2.0 A (95)
```
`--profile web3` is still available — it forces the annex onto every skill regardless of detection (useful for cross-team CI consistency):
```bash
npx agentsec audit --profile web3 --path ./my-skills
```
| ID | Risk |
| ------- | ----------------------------------------------- |
| AST-W01 | Unbounded Signing Authority |
| AST-W02 | Implicit Permit / Permit2 Signature Capture |
| AST-W03 | Delegation Hijack via EIP-7702 |
| AST-W04 | Blind / Opaque Signing Surface |
| AST-W05 | RPC Endpoint Substitution & Mempool Leakage |
| AST-W06 | Unverified Contract Call Targets |
| AST-W07 | Cross-Chain / Bridge Action Replay |
| AST-W08 | MCP Chain-Tool Drift / Capability Smuggling |
| AST-W09 | Session-Key / Permission-Caveat Erosion |
| AST-W10 | Slippage / Oracle Manipulation by Agent Loop |
| AST-W11 | Key Material in Agent Memory / Logs |
| AST-W12 | No On-Chain Action Audit / Kill-Switch |
Skills can declare a `web3` block in their manifest (chains, signers, policy caps, session-key scopes, MCP server pinning, audit sink, kill-switch) so the annex can verify scoping without flagging well-bounded skills. See `docs/plans/ast10-web3-annex-rules.md` for full per-rule detection signals.
## Understanding the Output
Default output is compact: each skill shows its grade and score, followed by a one-line finding summary and a PASS/WARN/FAIL status.
```
✔ Found 6 skills
✔ fetch-data v1.0.0 D (42)
✔ deploy-helper v2.3.0 C (68)
✔ code-review v1.1.0 A (95)
6 skills scanned • avg score 78 • 4 certified
Findings: 2 critical, 1 high, 2 medium
⚠ WARN 3 high/critical finding(s) detected
```
Use `--verbose` for score breakdowns, rule IDs, file/line locations, and remediation for each finding.
## Exit Codes
- `0` — audit passed the active policy
- `1` — policy violation or fatal error
Use the exit code directly to gate CI pipelines — no special flag required:
```bash
npx agentsec --policy strict || exit 1
```
## Tips
- Start with `npx agentsec` — no install, no flags. Iterate from there.
- Add `--verbose` whenever you need to act on specific findings.
- Pipe `--format json` into `jq` or a custom script for programmatic handling.
- `strict` is the most common preset for production repositories.
- Browse the agent skills ecosystem at [skills.sh](https://skills.sh).
don't have the plugin yet? install it then click "run inline in claude" again.
restructured original as implexa standard (intent, inputs, procedure, decision points, output contract, outcome signal), added edge cases (web3 auto-detection logic, exit code handling, no-skills case, config override precedence, policy gate behavior), made decision branches explicit, documented all inputs and auto-discovery paths, preserved original commands and flags, kept author attribution and credits, applied lowercase tech voice without em-dashes.
---
name: agentsec
description: Audit AI agent skills for security vulnerabilities. Use when scanning installed skills against the OWASP Agentic Skills Top 10, checking skills before running them, gating CI/CD on skill safety, or generating audit reports (text, JSON, SARIF, HTML) for stakeholders.
version: 0.3.3
license: MIT
homepage: https://agentsec.sh
author: markeljan
credits: original author semiotic-ai
permissions:
- filesystem:read
metadata:
agentsec:
profile: meta
openclaw:
emoji: "🛡️"
homepage: https://agentsec.sh
requires:
anyBins:
- agentsec
- npx
- bunx
install:
- kind: node
package: agentsec
bins:
- agentsec
label: Install agentsec (npm)
---
# agentsec
## intent
audit your installed AI agent skills against the OWASP Agentic Skills Top 10 to catch security vulnerabilities, misconfigurations, and governance gaps before they run. use agentsec when you need to verify skills are safe, gate CI/CD pipelines on skill security, check compliance across platforms (Claude, OpenClaw, Codex, Hermes), or generate audit reports (text, JSON, SARIF, HTML) for stakeholders. runs zero-config with auto-discovery across platform default locations, or target specific directories and policy presets.
## inputs
**required**
- agentsec binary or access to npm/bun/pnpm package manager for `npx agentsec` (no global install needed)
**optional**
- custom skill directory path (default: auto-discovers from platform locations listed below)
- policy preset name: `default`, `strict`, `permissive`, or `owasp-agent-top-10` (default: `default`)
- output format: `text`, `json`, `sarif`, or `html` (default: `text`)
- output file path for report (default: stdout)
- platform filter: `openclaw`, `claude`, `codex`, `hermes`, or auto-detect (default: auto)
- profile: `default`, `web3`, or `strict` (default: `default`, auto-detects Web3 skills)
**auto-discovery locations** (scanned by default, no flag required)
| Platform | Paths |
| -------- | ----- |
| Claude Code | `~/.claude/skills`, `./.claude/skills`, `~/.claude/plugins/*/skills/*`, `~/.claude/commands`, `./.claude/commands` |
| OpenClaw/ClawHub | `~/.openclaw/workspace/skills`, `~/.openclaw/workspace-*/skills` (respects `OPENCLAW_PROFILE` env var), `~/.openclaw/skills` |
| Codex/skills.sh | `~/.agents/skills`, `./.agents/skills`, `../.agents/skills`, `/etc/codex/skills` |
| Hermes | `~/.hermes/skills`, `~/.hermes/skills/*` (bundled categories), `./.hermes/skills` |
| Generic | any `skills/` directory in current project, up to two levels deep |
**optional config file** (auto-loaded from cwd or parent)
agentsec auto-discovers `.agentsecrc`, `.agentsecrc.json`, or `agentsec.config.json`. CLI flags override config file values.
```json
{
"format": "text",
"output": null,
"policy": "strict",
"verbose": false
}
invoke agentsec with desired command and flags
scan, report, policy)agentsec auto-discovers skill directories (unless --path or --platform override)
skills/ directoriesagentsec audits each skill against OWASP Agentic Skills Top 10 rules
agentsec applies policy gate
strict blocks high and critical findings; default blocks critical; permissive only blocks critical CVEsagentsec formats and outputs report
agentsec reporttext format (default)
✔ Found 6 skills
✔ fetch-data v1.0.0 D (42)
✔ deploy-helper v2.3.0 C (68)
✔ code-review v1.1.0 A (95)
6 skills scanned • avg score 78 • 4 certified
Findings: 2 critical, 1 high, 2 medium
⚠ WARN 3 high/critical finding(s) detected
json format
sarif format
html format
exit codes
0: audit passed the active policy (no high/critical findings under policy constraints)1: policy violation or fatal error (missing binary, invalid config, parse error)file location (if --output specified)
[Web3] suffix in output if detectednpx agentsec policy list and npx agentsec policy show <preset> confirm available rules and presets loaded correctlynpx agentsec report audit.json --format html successfully replays a saved audit as a new reportfastest path: no install, no flags.
npx agentsec
this auto-discovers every skill across all known platforms and audits against the OWASP Agentic Skills Top 10. always try this first.
every workflow starts from one of four commands. run with npx agentsec (no install needed) or just agentsec if globally installed.
# full audit (scan + policy evaluation). default command.
npx agentsec
# scan only (no policy evaluation)
npx agentsec scan
# generate a report from a previously saved audit JSON
npx agentsec report audit.json
# manage and inspect policy presets
npx agentsec policy list
npx agentsec needs no install. for repeated use, install globally:
# bun (recommended)
bun add -g agentsec
# npm
npm install -g agentsec
# pnpm
pnpm add -g agentsec
# yarn
yarn global add agentsec
then drop the npx prefix:
agentsec
agentsec scan --path ./my-skills
all flags work with any command.
| flag | short | values | default | purpose |
|---|---|---|---|---|
--format |
-f |
text, json, sarif, html |
text |
output format |
--output |
-o |
path | stdout | write report to file |
--policy |
-p |
preset name or path | default |
apply a policy preset |
--platform |
openclaw, claude, codex, hermes |
auto | narrow to one agent platform | |
--path |
path | auto | custom skill directory to scan | |
--profile |
default, web3, strict |
default |
rule profile. default auto-detects Web3 skills; web3 forces the annex on every skill |
|
--verbose |
-v |
off | show detailed findings | |
--no-color |
off | disable colored output | ||
--help |
-h |
show help | ||
--version |
-V |
print version |
show detailed findings and remediation:
npx agentsec --verbose
scan a specific directory:
npx agentsec scan --path ./my-skills
target a specific agent platform:
npx agentsec --platform claude
npx agentsec --platform codex
npx agentsec --platform hermes
npx agentsec --platform openclaw
audit with a strict policy and save JSON:
npx agentsec --policy strict --format json --output audit.json
generate an HTML report for stakeholders:
npx agentsec --format html --output report.html
generate a SARIF report for IDE / code-scanning integration:
npx agentsec --format sarif --output report.sarif
list available policy presets:
npx agentsec policy list
inspect the rules in a preset:
npx agentsec policy show strict
validate a custom policy config file:
npx agentsec policy validate ./my-policy.json
replay a previous audit as an HTML report:
npx agentsec report audit.json --format html --output report.html
| name | use case |
|---|---|
default |
balanced policy. blocks critical findings. |
strict |
enterprise-grade. blocks high and critical findings, enforces tests. |
permissive |
lenient. only blocks critical CVEs. good for development. |
owasp-agent-top-10 |
built directly from the OWASP Agentic Skills Top 10. |
every audit checks all ten risk categories:
| ID | risk |
|---|---|
| AST01 | malicious skills |
| AST02 | supply chain compromise |
| AST03 | over-privileged skills |
| AST04 | insecure metadata |
| AST05 | unsafe deserialization |
| AST06 | weak isolation |
| AST07 | update drift |
| AST08 | poor scanning |
| AST09 | no governance |
| AST10 | cross-platform reuse |
Web3-touching skills are detected automatically and audited against twelve additional rules, no flag required. a skill is detected as Web3 when:
web3: block.sol filedetected skills are tagged [Web3] in the output:
✔ scoped-trader v1.4.0 [Web3] C (62)
✔ helpful-summarizer v1.2.0 A (95)
--profile web3 forces the annex onto every skill regardless of detection (useful for cross-team CI consistency):
npx agentsec audit --profile web3 --path ./my-skills
| ID | risk |
|---|---|
| AST-W01 | unbounded signing authority |
| AST-W02 | implicit permit / permit2 signature capture |
| AST-W03 | delegation hijack via EIP-7702 |
| AST-W04 | blind / opaque signing surface |
| AST-W05 | RPC endpoint substitution & mempool leakage |
| AST-W06 | unverified contract call targets |
| AST-W07 | cross-chain / bridge action replay |
| AST-W08 | MCP chain-tool drift / capability smuggling |
| AST-W09 | session-key / permission-caveat erosion |
| AST-W10 | slippage / oracle manipulation by agent loop |
| AST-W11 | key material in agent memory / logs |
| AST-W12 | no on-chain action audit / kill-switch |
skills can declare a web3 block in their manifest (chains, signers, policy caps, session-key scopes, MCP server pinning, audit sink, kill-switch) so the annex can verify scoping without flagging well-bounded skills.
default output is compact: each skill shows its grade and score, followed by a one-line finding summary and a PASS/WARN/FAIL status.
✔ Found 6 skills
✔ fetch-data v1.0.0 D (42)
✔ deploy-helper v2.3.0 C (68)
✔ code-review v1.1.0 A (95)
6 skills scanned • avg score 78 • 4 certified
Findings: 2 critical, 1 high, 2 medium
⚠ WARN 3 high/critical finding(s) detected
use --verbose for score breakdowns, rule IDs, file/line locations, and remediation for each finding.
0: audit passed the active policy1: policy violation or fatal erroruse the exit code directly to gate CI pipelines, no special flag required:
npx agentsec --policy strict || exit 1
npx agentsec , no install, no flags. iterate from there.--verbose whenever you need to act on specific findings.--format json into jq or a custom script for programmatic handling.strict is the most common preset for production repositories.