AgentGuard by Nano

Agent Identity & Permission Guardian - Trust middleware for credential management, permission scopes, human approval workflows, and audit trails. Use when AI...

What to consider before installing: 1) Undeclared requirements: The package actually runs shell commands (1Password CLI 'op') and may spawn tmux sessions, and it reads env vars like AGENTGUARD_PASSWORD, AGENTGUARD_USE_TMUX, OP_ACCOUNT, FEISHU_OPEN_ID. The skill metadata did not declare these — verify and set them intentionally. 2) Review the code paths that execute shell commands: src/1password.js uses child_process.execSync and a tmux-based execution path that creates sockets and sessions. If you don't trust the package source, these execs could be abused to run arbitrary commands on your machine. 3) Secrets handling: CLI commands print credentials (vault get prints the value to stdout) and the tool writes audit logs under ~/.agentguard. Ensure you understand where master passwords and API keys are stored and whether you're comfortable with the local storage and stdout behaviors. 4) External notifications: The human-gate integrates with Feishu/other channels. Inspect src/feishu-notifier.js (and other notifiers) to confirm what is sent externally and whether any sensitive data could be exfiltrated in approval payloads. 5) Metadata inconsistency: The registry said 'instruction-only' while the repo contains code and package.json. Prefer to install from a known trustworthy source (official npm package or vetted repo) and verify package integrity (source repo, npm publisher, checksums) before running. 6) Safety steps: run the package in an isolated environment (sandbox/VM) first; search the repository for exec/child_process usages and all network endpoints; set a strong AGENTGUARD_PASSWORD rather than relying on the default; avoid exposing the master password in a shared environment variable; and consider disabling AGENTGUARD_USE_TMUX unless you need the tmux flow. Given the coherent functionality but the undeclared env/exec behavior and tmux usage, the package looks plausible for its stated purpose but has enough mismatches and risky operations to mark it suspicious until you confirm provenance and review the exec/network code paths.

Type: OpenClaw Skill Name: nano-agentguard Version: 0.4.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in `src/1password.js`. User-controlled inputs (such as agent IDs or credential keys) are directly interpolated into `child_process.execSync` calls without proper sanitization or escaping when interacting with the `op` CLI. This flaw, exposed through `src/vault-op.js` and the `agentguard` CLI (`src/cli.js`), could allow an attacker to execute arbitrary commands on the host system. While the skill's stated purpose is security-focused, this severe vulnerability poses a significant risk of remote code execution. Additionally, `src/cli.js` uses a weak default master password ('default-password-change-me') if not provided via environment variables, which is a minor security vulnerability.