Agent CLI Scope Guard

Read-only AI agent CLI security audit for hidden global Skill routing, credential inheritance, bridge snapshots, and over-broad permissions.

View the Project on GitHub xiaoqi-AI/agent-cli-scope-guard

Remediation Playbook

Use this sequence when an Agent CLI unexpectedly changes routing, creates remote resources, or gains access to unrelated credentials. The order matters: contain first, rotate second, clean up last.

Phase 0: Freeze side effects

Exit condition: no background process can create additional remote resources.

Phase 1: Establish the effective route

Inspect every layer that can influence tool choice:

  1. User-level Agent instructions
  2. User-level Skill pools
  3. Host-specific Skill directories
  4. Symlinks and Windows Junctions
  5. Project instructions and trusted-project configuration
  6. Package install and upgrade hooks
  7. Bridge configuration and running processes

Classify each rule:

Route type Safe default
Explicit platform command Allowed within the named task
Project-owned route Allowed only inside that project
User-level implicit route Disable or narrow
Installer-created route Require disclosure and opt-in

Phase 2: Contain credentials

  1. Stop the process that is persisting or redistributing environment data.
  2. Record only the affected credential names, scopes, and timestamps.
  3. Remove stale environment snapshots and caches through a reviewed manual change.
  4. Restrict credential files to the owning user or service identity.
  5. Replace user-level environment variables with task-scoped injection.
  6. Rotate credentials that remained valid during the exposure window.
  7. Restart only the minimum required processes and verify their child environments.

Rotation before containment can immediately expose the new credential to the same bridge, so do not reverse steps 1 and 6.

Phase 3: Narrow routing

Use the explicit routing policy template. A compliant route should answer all of these questions:

Phase 4: Restore least privilege

Phase 5: Make external writes idempotent

Every external create or update operation should carry:

On timeout:

  1. Mark the operation unknown.
  2. Query the external platform by operation key or deterministic metadata.
  3. Reuse the confirmed result if it exists.
  4. Retry only when absence is proven.

Phase 6: Verify durability

Run the auditor:

agent-scope-guard --json --fail-on high

Then verify again after:

The remediation is complete only when the route stays narrow after those lifecycle events.