agent-audit

agent-audit is an open-source auditing and policy-checking tool for AI agent code. It focuses on practical checks for auditing agent code and configurations, including coverage aligned with OWASP Agentic Top 10 style risk categories, taint-style flow analysis, and MCP configuration auditing.

This project sits in our Agent Layer work on agent behavior and multi-agent failure modes, providing static checks that complement runtime audit when teams need deployment-ready evidence.

GitHub Repository | Star on GitHub | PyPI Package | Paper (arXiv) | Paper (PDF) | Back to Open Source

If this project is useful in your workflow, please star the GitHub repository to help more practitioners discover it.

---

Why this project

AI agent pipelines combine LLM prompts, external tools, and runtime configuration. This expands the attack surface beyond traditional app code. agent-audit is designed to help teams catch high-risk patterns earlier in development and CI, and to check policy-relevant constraints before deployment.

Core capabilities

• Security auditing for risk-relevant patterns in agent code.
• Taint-style analysis to identify risky data flow paths.
• Audit checks for MCP-related configuration issues.
• Rule coverage mapped to agent security risk categories.

Quick start

Install from PyPI:

pip install agent-audit

ClawHub deployment results (March 2026)

agent-audit was used on ClawHub scanner deployment to analyze the ecosystem at scale.

• Scanned 18,899 ClawHub skills end-to-end.
• Detected 13,947 total vulnerabilities, including 1,996 BLOCK-level critical findings.
• 7 new OpenClaw rules triggered 1,845 hits in total.
• Obfuscated shell command rule AGENT-058 triggered 1,034 times.
• Vulnerability rate: 46.6% for skills with scripts vs 16.8% for skills without scripts.