← Back to Docs

Agent Security

Security audit for agent configs, skills, toxic flows, and content pinning.

Four Modules

Config Audit

TS-C*

Analyzes agent configuration files for security misconfigurations: overly permissive settings, missing guardrails, insecure defaults.

Skill Scanner

TS-E*

Pattern matching against 20+ malicious skill patterns: shell injection, data exfiltration, credential theft, privilege escalation.

Toxic Flow Detection

TS-W*

Identifies dangerous capability combinations using keyword + AST analysis. Detects read+exfil, auth+impersonate, etc.

Content Pinning

TS-P*

SHA-256 hashing of skill definitions to detect rug-pull attacks — when previously approved skills are silently modified.

Usage

bash
# Audit an agent config file
"code-keyword">$ "code-function">spidershield agent-check ./agent-config.yaml

Agent Security Audit
━━━━━━━━━━━━━━━━━━━
Config:  ./agent-config.yaml
Skills:  12 registered
Flows:   3 toxic combinations detected

Findings:
  [TS-E001] CRITICAL  Skill "exec_shell" has unrestricted shell access
  [TS-E003] CRITICAL  Toxic flow: read_file + http_post (data exfiltration)
  [TS-W002] WARNING   Skill "fetch_url" allows arbitrary URL access
  [TS-W005] WARNING   No allowlist configured — all skills permitted

Score: 3.2 / 10.0  (Grade: D)

Content Pinning

Pin skill definitions with SHA-256 hashes. Detect silent modifications (rug-pull attacks) by verifying hashes later.

python
from spidershield.agent import pin_skills, verify_pins

# Pin current skill definitions (SHA-256 hash)
pin_skills("./agent-config.yaml", output="./skill-pins.json")

# Later — verify nothing changed (rug-pull detection)
changed = verify_pins("./agent-config.yaml", "./skill-pins.json")
if changed:
    print(f"ALERT: {len(changed)} skills modified since pinning!")
    for skill in changed:
        print(f"  {skill.name}: {skill.old_hash} → {skill.new_hash}")

SARIF Output

Agent findings can be exported in SARIF format for integration with GitHub Code Scanning, VS Code, and other tools.

bash
"code-keyword">$ "code-function">spidershield agent-check "code-keyword">--format sarif ./agent-config.yaml > results.sarif
← Audit LoggingAll Docs →