agent-audit

agent-audit is an open-source auditing and policy-checking tool for AI agent code. It focuses on practical checks for AI auditing and assurance in agent systems, including coverage aligned with OWASP Agentic Top 10 style risk categories, taint-style flow analysis, and MCP configuration auditing.

This project sits mainly in our AI Auditing & Assurance direction, with direct overlap with AI Safety & Security when teams need deployment-ready evidence and policy checks.

GitHub Repository | Star on GitHub | PyPI Package | Paper (arXiv) | Paper (PDF) | Back to Open Source

If this project is useful in your workflow, please star the GitHub repository to help more practitioners discover it.

---

Why this project

AI agent pipelines combine LLM prompts, external tools, and runtime configuration. This expands the attack surface beyond traditional app code. agent-audit is designed to help teams catch high-risk patterns earlier in development and CI, and to check policy-relevant constraints before deployment.

Core capabilities

• Security auditing for risk-relevant patterns in agent code.
• Taint-style analysis to identify risky data flow paths.
• Audit checks for MCP-related configuration issues.
• Rule coverage mapped to agent security risk categories.

Quick start

Install from PyPI:

pip install agent-audit

ClawHub deployment results (March 2026)

agent-audit was used on ClawHub scanner deployment to analyze the ecosystem at scale.

• Scanned 18,899 ClawHub skills end-to-end.
• Detected 13,947 total vulnerabilities, including 1,996 BLOCK-level critical findings.
• 7 new OpenClaw rules triggered 1,845 hits in total.
• Obfuscated shell command rule AGENT-058 triggered 1,034 times.
• Vulnerability rate: 46.6% for skills with scripts vs 16.8% for skills without scripts.