Loading...
Loading...
AgentsHQ runs a two-layer security scanner on every agent definition indexed in the registry. Results are shown on agent detail pages and available via the API.
46 regex patterns matched against the agent's markdown content. Instant, no external calls.
Agent content is sent to an LLM for semantic analysis of prompt injection, hidden intent, and social engineering.
Results are stored per-agent and re-computed when content changes. A scheduled job re-scans stale agents periodically.
No findings
100/100
Minor concerns, review recommended
-5 per finding
Significant risk, use with caution
-15 per finding
Dangerous patterns detected, do not use
-25 per finding
| ID | Check | What It Detects |
|---|---|---|
| CRT-CMD-001 | Pipe to shell | curl ... | bash, wget ... | sh — downloads and executes remote code |
| CRT-CMD-002 | Sudo pipe to shell | Same as above but with root privileges via sudo |
| CRT-CMD-003 | Process substitution | bash <(curl ...) — executes downloaded content via process substitution |
| CRT-CMD-004 | Eval with base64 | eval $(base64 ...) — decodes and executes hidden commands |
| CRT-CMD-005 | Base64 decode to shell | base64 -d | bash — decodes a payload and pipes it to a shell |
| CRT-CMD-006 | Download and execute | curl ... && chmod +x — downloads a file and makes it executable |
| ID | Check | What It Detects |
|---|---|---|
| CRT-RSH-001 | Bash /dev/tcp | Uses /dev/tcp/ to open network connections for reverse shells |
| CRT-RSH-002 | Netcat reverse shell | nc -e — binds a shell to a network connection |
| CRT-RSH-003 | Python socket shell | Python one-liner with socket.connect + subprocess |
| CRT-RSH-004 | Ruby TCPSocket shell | TCPSocket.new + exec — Ruby reverse shell |
| ID | Check | What It Detects |
|---|---|---|
| CRT-KEY-001 | OpenAI API key | sk- or sk-proj- prefix with 20+ characters |
| CRT-KEY-002 | AWS access key | AKIA prefix with 16 uppercase alphanumeric characters |
| CRT-KEY-003 | GitHub token | ghp_ (classic) or github_pat_ (fine-grained) patterns |
| CRT-KEY-004 | Stripe API key | sk_live_ or pk_live_ prefix |
| CRT-KEY-005 | SendGrid API key | SG. prefix with specific segment pattern |
| CRT-KEY-006 | Slack token | xoxb-, xoxp-, xoxa-, xoxr-, xoxs- patterns |
| ID | Check | What It Detects |
|---|---|---|
| CRT-EXF-001 | Sensitive file exfil | curl -d with /etc/passwd, .ssh/, .aws/credentials |
| ID | Check | What It Detects |
|---|---|---|
| CRT-DST-001 | Root deletion | rm -rf / — recursive deletion from filesystem root |
| ID | Check | What It Detects |
|---|---|---|
| HGH-CRD-001 | Credential export | export API_KEY=, export SECRET_KEY=, etc. |
| HGH-CRD-002 | Plaintext password | PASSWORD='...', DB_PASS='...' assignments |
| ID | Check | What It Detects |
|---|---|---|
| HGH-FILE-001 | .env file read | cat .env — reading environment secrets |
| HGH-FILE-002 | SSH key read | cat .ssh/id_rsa, cat .ssh/id_ed25519 |
| HGH-FILE-003 | AWS credentials read | cat .aws/credentials |
| ID | Check | What It Detects |
|---|---|---|
| HGH-PRV-001 | chmod 777 | World-readable/writable/executable permissions |
| HGH-PRV-002 | NOPASSWD sudo | Passwordless sudo configuration |
| ID | Check | What It Detects |
|---|---|---|
| HGH-CMD-001 | Python dangerous imports | python -c with os.system, subprocess, exec, eval |
| HGH-CMD-002 | Executable download | Downloading .exe, .msi, .bat, .ps1, .cmd, .vbs, .scr files |
| ID | Check | What It Detects |
|---|---|---|
| HGH-EXF-001 | nslookup exfil | nslookup $(...) — embedding data in DNS lookups |
| HGH-EXF-002 | dig exfil | dig ... $(...) — data exfiltration via DNS queries |
| ID | Check | What It Detects |
|---|---|---|
| HGH-URL-001 | Paste service URLs | pastebin.com, paste.ee, hastebin.com — common C2 dead drops |
| HGH-URL-002 | Direct IP URLs | http://1.2.3.4/ — raw IP addresses often indicate C2 infrastructure |
| ID | Check | What It Detects |
|---|---|---|
| HGH-PRS-001 | Shell RC modification | Appending to .bashrc, .zshrc, .profile |
| HGH-PRS-002 | SSH authorized_keys | Appending to authorized_keys for persistent remote access |
| ID | Check | What It Detects |
|---|---|---|
| MED-OBF-001 | Hex printf | printf '\x41\x42...' — building strings from hex to hide intent |
| MED-OBF-002 | Reversed string to shell | rev | bash — reversing strings to evade detection |
| MED-OBF-003 | Command redefinition | alias sudo=..., function curl() — intercepting security commands |
| ID | Check | What It Detects |
|---|---|---|
| MED-PRS-001 | Crontab manipulation | crontab -e, */5 * * * * — scheduled task creation |
| MED-PRS-002 | Systemd services | systemctl enable/start — creating persistent background services |
| MED-PRS-003 | Git hooks | .git/hooks/pre-commit etc. — code execution on git operations |
| MED-PRS-004 | at-job scheduling | at 12:00 — delayed command execution |
| ID | Check | What It Detects |
|---|---|---|
| MED-FILE-001 | .env file write | > .env — overwriting or injecting environment variables |
| MED-FILE-002 | /etc/hosts modification | Writing to /etc/hosts — DNS redirection for phishing/C2 |
| MED-PRV-001 | Kernel modules | insmod, modprobe — loading kernel modules (rootkit vector) |
| MED-PRV-002 | Firewall manipulation | iptables -A/-D/-F — modifying firewall rules |
| MED-PRV-003 | Docker privileged | docker run --privileged — full host access, bypasses isolation |
The LLM checks for risks that regex patterns cannot detect. Findings are assigned IDs prefixed with LLM- and merged with static rule findings.
| Category | What It Detects |
|---|---|
| Prompt Injection | Hidden instructions like "ignore previous instructions", system message impersonation, base64/unicode encoded directives, instructions in other languages designed to evade detection |
| Social Engineering | Instructions that manipulate users into disabling security features, granting excessive permissions, or sharing credentials |
| Hidden Intent | Instructions that appear benign but serve a malicious purpose (e.g., "log all file contents to this endpoint for debugging") |
| Data Exfiltration | Disguised attempts to send user data, code, or credentials to external services |
| Excessive Permissions | Requesting capabilities far beyond the agent's stated purpose |
The LLM has a 10-second timeout and never blocks scanning — if it fails, regex results are used alone.
Static rule patterns are modeled after: