Agent CLI Scope Guard

Read-only AI agent CLI security audit for hidden global Skill routing, credential inheritance, bridge snapshots, and over-broad permissions.

View the Project on GitHub xiaoqi-AI/agent-cli-scope-guard

Threat Model

Scope

This project examines local AI agent hosts, globally installed CLIs, shared skills, bridges, credentials, and external side effects. It focuses on accidental scope expansion and supply-chain-like configuration behavior. It does not assume a malicious vendor or prove remote exfiltration.

Assets

Trust boundaries

  1. User request to host model
  2. Host model to global instruction or Skill
  3. Skill to vendor CLI
  4. CLI to bridge or child agent
  5. Parent environment to child environment
  6. Local process to external API
  7. One agent writer to another concurrent writer

Failure modes

Hidden route substitution

A global Skill delegates a broad class of requests to an external platform without an explicit user choice. The user believes the host model is implementing the task directly, while another service creates the actual artifact.

Cross-host policy propagation

A symlink, junction, central Skill pool, or installer sync causes one rule to affect Codex, Trae, or other hosts simultaneously. Editing a visible copy may not remove the physical source or prevent reinstallation.

Ambient credential inheritance

Long-lived credentials stored in user-level environment variables are inherited by every child process. A bridge may persist that environment to disk and inject it into future child agents.

Permission amplification

Unrestricted filesystem access and no-approval execution do not cause a routing error, but they increase its blast radius and remove the final human checkpoint.

Duplicate external side effects

Parallel agents create the same remote resource because there is no idempotency key, ownership lease, or reconciliation step after a timeout.

Upgrade reintroduction

Package lifecycle hooks or background synchronization restore a removed Skill. A one-time manual deletion appears successful but is not durable.

Security invariants

Evidence levels

Level Meaning
Observed A file, process, permission, or rule exists locally
Inferred The observed configuration can produce a stated effect
Confirmed Logs or API evidence show the effect occurred

The auditor reports observed state and bounded inferences. It must not label a remote leak as confirmed without remote evidence.