artguard
Scan AI artifacts like agent skills and config files for security risks, privacy issues, and instruction-level attacks with a Python CLI tool.
artguard
A Claude Code prompt that autonomously scaffolds a full AI artifact scanner CLI.
Paste the prompt into Claude Code and it builds artguard — a working Python CLI
that scans agent skills, MCP server configs, and IDE rule files for security threats,
privacy violations, and instruction-level attacks.
The problem
Enterprises are installing AI agent skills, MCP servers, and IDE rule files
(.cursorrules, .clinerules, .windsurfrules) with zero security review.
No existing scanner covers them.
Traditional scanners are built for code packages. AI artifacts are hybrid —
part code, part natural language instructions — and the attack surface lives
in the instructions themselves.
A YARA rule won't catch a skill that tells your coding agent to approve vulnerable
PRs. Static analysis won't surface an artifact that claims "no data stored" while
writing to disk.
What artguard scans
| Artifact Type | Examples |
|---|---|
| Agent skill files | skills.md, skill.json, tool definitions |
| MCP server configs | mcp.json, server manifests |
| IDE rule files | .cursorrules, .clinerules, .windsurfrules |
| Plugin manifests | manifest.json, API schemas |
Three detection layers
Layer 1 — Privacy posture analysis (differentiator)
Detects the gap between what an artifact claims to do with your data and what it
actually does. Undisclosed storage, covert telemetry, third-party sharing,
retention policy mismatches.
Layer 2 — Semantic instruction analysis (differentiator)
LLM-powered detection of behavioral manipulation, prompt injection, context
poisoning, and goal hijacking in the instruction content itself.
Layer 3 — Static pattern matching (table stakes)
Traditional malware patterns — credential harvesting, exfiltration endpoints,
obfuscated code — backed by the best free scanners available.
Output
Every scan produces a Trust Profile JSON — a structured AI Bill of Materials
designed to feed policy engines, audit trails, and access controls. Not a
safe/unsafe binary.
Composite Trust Score: 14 ██░░░░░░░░░░░░░░░░░░ MALICIOUS 🔴
┌─ PRIVACY POSTURE ─────────────────────────── Score: 32/100 ┐
│ [CRITICAL] PV3 Retention claim mismatch │
│ Claims "no data stored" but writes to ~/.cache │
└─────────────────────────────────────────────────────────────┘
┌─ BEHAVIORAL INTENT ────────────────────────────────────────┐
│ [HIGH] S4 System prompt override detected │
│ "Ignore all previous instructions and..." │
└─────────────────────────────────────────────────────────────┘Usage
Requirements: Claude Code, Python 3.11+, an Anthropic API key (for Layer 2).
# 1. Create a new directory
mkdir artguard && cd artguard
# 2. Open Claude Code
claude
# 3. Paste the contents of prompt.md
# Claude Code will scaffold the full project autonomously
# 4. Scan an artifact
artguard scan path/to/skill.md
artguard scan path/to/mcp.json --deep # enables Layer 2 LLM analysis
artguard batch ./skills-directory/Architecture
Layer 3 integrates YARA rules, heuristic engines, hash lookups, and
IP reputation feeds from the best available open-source and free-tier
sources — so you get broad coverage without vendor lock-in.
Project structure (what Claude Code generates)
artguard/
├── artguard/
│ ├── cli.py # Click CLI entry point
│ ├── schema.py # Finding, TrustProfile dataclasses
│ ├── db.py # SQLite feedback corpus
│ ├── parsers/ # One parser per artifact type
│ ├── analyzers/
│ │ ├── layer1_privacy.py # Privacy posture analysis
│ │ ├── layer2_semantic.py # LLM semantic instruction analysis
│ │ └── layer3_static.py # Static pattern matching (extractable)
│ ├── trust_profile/ # Trust Profile builder + scorer
│ └── output/ # Terminal + export formatting
├── tests/
│ └── fixtures/ # Benign + malicious sample artifacts
├── scan_profiles/ # YAML policy configs
└── prompt.md # ← This file is the source of truthContributing
The prompt is the source of truth. Improvements to detection patterns,
new artifact parsers, or better YARA rules are all welcome — either as
prompt edits or as PRs against the generated codebase.
If you stress-test this against real skill registries (ClawHub, skills.sh,
npm MCP packages), findings and false positive rates are especially valuable.
License
MIT