Agent CLI Scope Guard

Read-only AI agent CLI security audit for hidden global Skill routing, credential inheritance, bridge snapshots, and over-broad permissions.

View the Project on GitHub xiaoqi-AI/agent-cli-scope-guard

Coze CLI Case Study

Purpose

This is a sanitized configuration-risk case study, not a claim that every Coze CLI version or installation behaves identically. The observations below were verified on one Windows installation of @coze/cli version 0.3.4 on 2026-07-13. Product behavior may change; always inspect the installed version.

Observed chain

  1. @coze/cli was installed globally through npm.
  2. Its package lifecycle included a post-install path that invoked Skill installation or synchronization.
  3. A using-coze-cli Skill appeared in a shared user-level Agent Skill pool.
  4. The Skill description covered software development, Agent, workflow, and Skill work without requiring the user to explicitly name Coze.
  5. A second Agent host exposed the same physical Skill through a Windows Junction.
  6. A local bridge stored a process-environment snapshot and used it for child-agent environments.
  7. User-level secrets present in the parent environment therefore became available to unrelated child tasks.

The result was a routing and scope-control failure. It does not establish that credential values were transmitted to a remote service.

Read-only verification on Windows

Check the globally installed package:

npm ls -g @coze/cli --depth=0
$npmRoot = npm root -g
$package = Get-Content "$npmRoot\@coze\cli\package.json" -Raw | ConvertFrom-Json
$package.version
$package.scripts.postinstall

List global Agent Skill locations without opening credentials:

Get-ChildItem "$HOME\.agents\skills" -Directory -ErrorAction SilentlyContinue
Get-ChildItem "$HOME\.trae\skills" -Directory -ErrorAction SilentlyContinue |
  Select-Object Name, LinkType, Target

Check whether a bridge snapshot exists. Do not print its contents in a shared terminal or issue:

Get-Item "$HOME\.coze\bridge\agent-env.json" -ErrorAction SilentlyContinue |
  Select-Object FullName, Length, LastWriteTime

The repository tool performs these checks more safely because it reports sensitive field names only:

agent-scope-guard --json --fail-on high

Why deleting one Skill may not work

There can be three independent persistence layers:

A durable fix must reconcile all three and then rerun the audit after the next CLI upgrade.

Fair interpretation

Automatic Skill installation can be a convenience feature. The risk arises when convenience crosses an invisible trust boundary: broad implicit triggers, multiple hosts, ambient secrets, or external writes without explicit confirmation. The safer product design is explicit delegation plus narrow credential and permission scopes.