About AgentGuard

Taxonomy attribution and responsible use references. AgentGuard currently ships 132 detection rules.

• OWASP LLM Top 10 v2025
• OWASP Top 10 for Agentic Applications 2026
• Simon Willison lethal trifecta (June 16, 2025)
• Meta and OpenAI Agents Rule of Two (Nov 2025)
• CVE-2025-6514
• CVE-2025-54135
• CVE-2025-54136

What AgentGuard Does NOT Cover

AgentGuard is a static text-pattern auditor running entirely in your browser. It cannot detect prompt-injection payloads at runtime, verify that runtime enforcement actually matches config declarations, catch novel social-engineering payloads in plain language, inspect compiled binaries or remote MCP server behavior, or replace human review of agent rule files. Pair AgentGuard with runtime guardrails (NeMo Guardrails, Lakera Guard, Azure AI Content Safety), sandboxing, network policy enforcement, and red-teaming tools (Promptfoo, PyRIT, Garak) for complete defense in depth. Version pin lists require regular updates as new CVEs are published.

Supported agents

• Codex: AGENTS.md, codex settings and MCP configs
• Cursor: .cursorrules, .cursor/rules/*.mdc, .cursor/mcp.json
• GitHub Copilot: .github/copilot-instructions.md, .vscode/settings.json, .github/instructions/*.instructions.md
• Aider: .aider.conf.yml
• Continue: ~/.continue/config.json, .continuerc.json, config.yaml models and mcpServers
• Windsurf: .windsurfrules, .windsurf/mcp.json, global_rules.md
• Gemini CLI: GEMINI.md, ~/.gemini/settings.json, .gemini/config.yaml
• Claude Code: .claude/settings.json, CLAUDE.md, .mcp.json

Advanced detection categories

• Trust-on-claim privilege escalation.
• Indirect prompt injection via documents and attachments.
• Business email compromise (BEC) and ACH update fraud patterns.
• Scheduled task abuse and permission persistence.
• Log-based data exfiltration channels.
• Cross-domain sensitive data aggregation risks.
• Multi-tool attack-chain detection (combo rules) for takeover, exfiltration, RCE, and urgent deploy bypass.
• SSRF and cloud metadata/internal network fetch exposure patterns.
• System prompt and internal configuration exfiltration patterns.
• IAM shadow-admin creation and urgency-bypass policy abuse.
• Plugin supply-chain compromise and unverified extension loading.
• LLM code generation plus auto-execution without review/sandboxing.
• Webhook runtime exfiltration via user-provided destinations.
• Unbounded privilege provisioning and privilege creep risks.

AgentGuard is provided for informational and educational purposes only. It is not a substitute for professional security advice, auditing, or penetration testing. Results are not guaranteed to be complete, accurate, or exhaustive. The presence or absence of a finding does not constitute a warranty of security. By using AgentGuard you agree that the authors and contributors are not liable for any damages, losses, or security incidents arising from reliance on this tool. Use only on systems and configurations you own or are authorized to assess.