AgentGuard
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may trust the skill as local-only while enabling or receiving reports through external messaging services.
The same artifact documents Telegram alert/report channels while promising that no data leaves the machine. For a security monitor that logs file, API, and communication activity, that privacy contradiction is material.
alerts: channels: - telegram ... reporting: report_channel: telegram ... Privacy & Security: "No external data transmission" - All processing is local
Clarify the effective default, make external channels explicit opt-in, and document exactly what alert/report data is sent outside the machine.
Sensitive telemetry such as file paths, API destinations, communication destinations, and alert details could be exposed to other skills or channels without clear limits.
The skill advertises collecting communication telemetry and sharing threat data with other skills, but does not define recipient identity, permissions, data minimization, or approval boundaries.
Communication Logging: "Log all external communications for audit trails" ... With Other Skills: "Shares threat data with other security skills"
Require explicit opt-in for inter-skill sharing, specify permitted recipients and data fields, and sanitize/minimize shared telemetry.
Anyone with access to the local ~/.agentguard logs may learn what files and services the agent interacted with.
The logger stores persistent local telemetry about file paths and API URLs/domains. It includes sanitization, but still retains sensitive activity metadata.
CONFIG_DIR = Path.home() / ".agentguard" ... LOG_DIR = CONFIG_DIR / "logs" ... "path": path ... "url": SensitiveDataSanitizer.sanitize(url)
Limit watched paths, set short retention where possible, protect ~/.agentguard permissions, and enable encryption if the implementation supports it.
Monitoring and report generation may continue beyond a single user request until stopped or reconfigured.
The skill is designed to keep monitoring and generating reports after it is started. This is disclosed and purpose-aligned, but it is persistent behavior.
Trigger: Continuous background monitoring ... agentguard start ... reporting: auto_daily_report: true
Start it only when desired, confirm how to stop/status the monitor, and disable auto reports if ongoing reporting is not needed.
It may be harder to verify the package provenance, dependencies, and exact runtime entrypoints before use.
The package includes executable Python scripts and CLI-oriented documentation, but the registry does not provide a source/homepage or install specification.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill ... 5 code file(s)
Verify the publisher/source and review dependencies and entrypoints before running the scripts or installing any missing packages.
If blocking is enabled, legitimate agent API calls or operations could be interrupted.
The default is alert-only, but the skill documents a mode that can prevent operations. That authority is security-relevant even though it is purpose-aligned.
block_on_suspicious: false # true = prevent call, false = alert only ... With Other Skills: Can block operations (if configured)
Keep blocking disabled until tested, use explicit allowlists, and require user confirmation for disruptive enforcement modes.