Read-only AI agent CLI security audit for hidden global Skill routing, credential inheritance, bridge snapshots, and over-broad permissions.
This page turns the threat model into concrete operating scenarios. Each scenario defines the signal, the audit action, and the exit condition. The auditor remains read-only in every case.
Signal: A vendor CLI, npm package, desktop extension, or self-updater can install Skills or hooks outside the current project.
Run:
agent-scope-guard --json --output before.json
# Install or upgrade the reviewed CLI.
agent-scope-guard --json --output after.json
Review: New user-level SKILL.md files, package lifecycle hooks, shared links, bridge snapshots, and permission changes.
Exit condition: Every new global artifact has an owner, documented scope, explicit disable path, and an accepted reason for being global.
Signal: You asked Codex or another host model to modify code, but Coze, Figma, or another external platform created the artifact without being named in the active request.
Run:
agent-scope-guard --fail-on high
Review: ROUTE-001 matches such as “always use”, “whenever”, “无需显式点名”, or broad software-development triggers. Resolve the physical Skill path and its installer source.
Exit condition: External delegation requires an explicit platform name or command prefix, and ordinary development stays with the selected host model.
Signal: Codex, Trae, or other editors start making the same routing decision after one CLI installation.
Review: ROUTE-002, symlinks, Windows Junctions, and central Skill pools. Deleting one visible copy is insufficient when several paths resolve to the same physical directory.
Exit condition: Shared propagation is either intentionally documented or replaced with host-specific, project-scoped configuration.
Signal: An Agent working on local code can see cloud, publishing, OAuth, or model credentials that its task does not need.
Run:
agent-scope-guard --json
Review: SECRET-001 environment variable names, SECRET-002 bridge snapshots, SECRET-003 credential-file permissions, and whether the bridge process is still active.
Exit condition: Child processes receive an allowlisted environment, stale snapshots are removed after containment, credential files are owner-only, and still-valid exposed credentials are rotated.
The presence of a local snapshot proves expanded local exposure, not remote exfiltration.
Signal: A timeout or parallel Agent run creates more than one remote resource for the same business operation.
Review: Which Agent owned the write, whether an idempotency key existed, whether retries were automatic, and whether the platform was queried before retrying an unknown result.
Exit condition: One accountable writer holds a lease; every write has a stable operation key; timeout moves the operation to unknown; read-only reconciliation happens before retry.
Signal: The workstation has accumulated many trusted projects, global instructions, persistent API credentials, or unrestricted sessions.
Run:
agent-scope-guard --json --fail-on medium
Review: PERM-001, PERM-002, TRUST-001, AUTO-001, and UX-001. Compare effective launch-time overrides with saved configuration.
Exit condition: Workspace-scoped access is the default, external writes require approval, stale trust entries are removed, and project-specific automation is no longer global.
Signal: A base developer image or managed workstation profile must prevent unsafe Agent CLI configuration from reaching users.
Run in CI or image validation:
agent-scope-guard --json --output agent-scope-report.json --fail-on high
Policy example: Fail on critical/high findings, retain a sanitized report artifact, and require a time-bounded exception with an owner for accepted medium findings.
Exit condition: The image contains no ambient production credentials, implicit vendor routing, active bridge snapshots, unrestricted default permissions, or unreviewed global hooks.
Signal: A new Skill uses natural-language triggers, installs into a user-level directory, or targets more than one host.
Review: Trigger specificity, explicit user intent, installation scope, upgrade behavior, uninstall durability, child environment filtering, and false-positive tests.
Exit condition: The release is project-scoped by default, global installation is opt-in, every external write is separately approved, and upgrades cannot silently broaden routing.
Signal: An unexplained external resource, permission change, credential use, or routing decision has already occurred.
Sequence:
Exit condition: The effective route, credential path, writer identity, remote side effects, and durable preventive controls are all accounted for.
Agent CLI Scope Guard inspects local configuration and bounded runtime signals. It does not replace endpoint detection, network telemetry, cloud audit logs, secret scanning, software composition analysis, or a platform’s own access logs. Use those sources when you need to prove remote transmission or attribute a confirmed external action.