Vigil

· v0.1.1

High Risk

AI agent safety guardrails for tool calls. Use when (1) you want to validate agent tool calls before execution, (2) building agents that run shell commands, file operations, or API calls, (3) adding a safety layer to any MCP server or agent framework, (4) auditing what your agents are doing. Catches destructive commands, SSRF, SQL injection, path traversal, data exfiltration, prompt injection, and credential leaks. Requires npm package vigil-agent-safety (12.3KB, under 2ms latency). Source: github.com/hexitlabs/vigil

H:4 D:4 A:3 C:1

⚠️ Hazard Flags

CODE_EXEC FS_READ_USER FS_DELETE NET_EGRESS_ANY CREDS_FILES ACT_DELETE_EXTERNAL PI_WEB

📋 Capabilities

Execution

❌ Shell execution
✅ Code execution
❌ Install dependencies
❌ Persistence
Privilege: user

Filesystem

❌ Read workspace
❌ Write workspace
✅ Read home
❌ Write home
❌ Read system
✅ Delete

Network

Egress: any
❌ Ingress

Credentials

❌ Environment vars
✅ Credential files
❌ Browser data
❌ Keychain

Actions

❌ send messages❌ post public❌ purchase❌ transfer money❌ deploy✅ delete external

🔒 Containment

Level: maximum

Required:

SANDBOX_CONTAINER: Code execution capability

Recommended:

LOG_ACTIONS: Audit trail for all actions

⚡ Risks

Base64 decode + execute pattern in: SKILL.md critical

Mitigation: Decode and review obfuscated content before use.

SSH key access patterns in: SKILL.md high

Mitigation: Verify legitimate need for SSH access. Consider sandboxing.

Unauthorized tool use: TOOL_ABUSE_SYSTEM_MODIFICATION, MCP_SYS_FILE_DESTRUCTION critical

Mitigation: Remove system modification commands

Command injection risk: MCP_SQL_TAUTOLOGY critical

Mitigation: Remove SQL injection payloads. Use parameterized queries.

Social engineering indicators: SOCIAL_ENG_VAGUE_DESCRIPTION low

Mitigation: Provide clear, detailed description of skill functionality

Want a deeper analysis?

This report was generated by static analysis. Get an LLM-powered deep review with behavioral reasoning and attack surface mapping.

🧠 Deep Analysis — $5.00

🚨 Incident Response

Kill switch: Stop the agent process

Containment: Review logs for unexpected actions

Recovery: Depends on skill capabilities

📄 Raw SSDS JSON click to expand

{
  "meta": {
    "document_id": "ssds:auto:vigil:0.1.1",
    "ssds_version": "0.2.0",
    "scanner_version": "0.4.0+fe6fd9123d50",
    "created_at": "2026-03-05T03:38:44.139Z",
    "created_by": {
      "agent": "safeagentskills-cli/generate-ssds"
    },
    "language": "en",
    "notes": "Auto-generated SSDS. Manual review recommended."
  },
  "skill": {
    "name": "Vigil",
    "version": "0.1.1",
    "format": "agent_skill",
    "description": "AI agent safety guardrails for tool calls. Use when (1) you want to validate agent tool calls before execution, (2) building agents that run shell commands, file operations, or API calls, (3) adding a safety layer to any MCP server or agent framework, (4) auditing what your agents are doing. Catches destructive commands, SSRF, SQL injection, path traversal, data exfiltration, prompt injection, and credential leaks. Requires npm package vigil-agent-safety (12.3KB, under 2ms latency). Source: github.com/hexitlabs/vigil",
    "publisher": "unknown",
    "source": {
      "channel": "local"
    },
    "artifact": {
      "sha256": "d826f24da005fd98a03321105f38200de7d0a874e3ae41d28f051443c3a2b128",
      "hash_method": "files_sorted"
    }
  },
  "capabilities": {
    "execution": {
      "can_exec_shell": false,
      "can_exec_code": true,
      "privilege_level": "user",
      "can_install_deps": false,
      "can_persist": false
    },
    "filesystem": {
      "reads_workspace": false,
      "reads_user_home": true,
      "reads_system": false,
      "writes_workspace": false,
      "writes_user_home": false,
      "writes_system": false,
      "can_delete": true
    },
    "network": {
      "egress": "any",
      "ingress": false
    },
    "credentials": {
      "reads_env_vars": false,
      "reads_credential_files": true,
      "reads_browser_data": false,
      "reads_keychain": false
    },
    "services": [],
    "actions": {
      "can_send_messages": false,
      "can_post_public": false,
      "can_purchase": false,
      "can_transfer_money": false,
      "can_deploy": false,
      "can_delete_external": true
    },
    "prompt_injection_surfaces": [
      "web"
    ],
    "content_types": [
      "general"
    ]
  },
  "hazards": {
    "hdac": {
      "H": 4,
      "D": 4,
      "A": 3,
      "C": 1
    },
    "flags": [
      "CODE_EXEC",
      "FS_READ_USER",
      "FS_DELETE",
      "NET_EGRESS_ANY",
      "CREDS_FILES",
      "ACT_DELETE_EXTERNAL",
      "PI_WEB"
    ],
    "custom_flags": [
      {
        "code": "BASE64_EXEC",
        "name": "Base64 Execute",
        "description": "Decodes and executes obfuscated code in: SKILL.md"
      },
      {
        "code": "CRED_SSH",
        "name": "SSH Key Access",
        "description": "Accesses SSH keys in: SKILL.md"
      },
      {
        "code": "FILE_DELETE",
        "name": "File Deletion",
        "description": "Can delete files in: scripts/vigil-check.js, SKILL.md"
      },
      {
        "code": "TOOL_ABUSE",
        "name": "Unauthorized Tool Use",
        "description": "TOOL_ABUSE_SYSTEM_MODIFICATION, MCP_SYS_FILE_DESTRUCTION: Modifying system permissions or configuration"
      },
      {
        "code": "SOCIAL_ENGINEERING",
        "name": "Social Engineering Risk",
        "description": "SOCIAL_ENG_VAGUE_DESCRIPTION: Skill description is too vague or missing"
      },
      {
        "code": "COMMAND_INJECTION",
        "name": "Command Injection Risk",
        "description": "MCP_SQL_TAUTOLOGY: SQL injection payload (tautology, DROP TABLE, UNION SELECT)"
      }
    ],
    "confidence": {
      "level": "medium",
      "basis": [
        "static_analysis"
      ],
      "notes": "Detected 6 security patterns (6 vendored rule hits). Review recommended."
    },
    "rationale": {
      "H": "H4: Critical: Privilege escalation or malware detected",
      "D": "D4: Critical: Credential theft or data exfiltration",
      "A": "A3: External actions (deploy/message/post)",
      "C": "C1: General content"
    }
  },
  "containment": {
    "level": "maximum",
    "required": [
      {
        "control": "SANDBOX_CONTAINER",
        "reason": "Code execution capability"
      }
    ],
    "recommended": [
      {
        "control": "LOG_ACTIONS",
        "reason": "Audit trail for all actions"
      }
    ],
    "uncontained_risk": "Risk level depends on manual review of actual capabilities."
  },
  "risks": {
    "risks": [
      {
        "risk": "Base64 decode + execute pattern in: SKILL.md",
        "severity": "critical",
        "mitigation": "Decode and review obfuscated content before use."
      },
      {
        "risk": "SSH key access patterns in: SKILL.md",
        "severity": "high",
        "mitigation": "Verify legitimate need for SSH access. Consider sandboxing."
      },
      {
        "risk": "Unauthorized tool use: TOOL_ABUSE_SYSTEM_MODIFICATION, MCP_SYS_FILE_DESTRUCTION",
        "severity": "critical",
        "mitigation": "Remove system modification commands"
      },
      {
        "risk": "Command injection risk: MCP_SQL_TAUTOLOGY",
        "severity": "critical",
        "mitigation": "Remove SQL injection payloads. Use parameterized queries."
      },
      {
        "risk": "Social engineering indicators: SOCIAL_ENG_VAGUE_DESCRIPTION",
        "severity": "low",
        "mitigation": "Provide clear, detailed description of skill functionality"
      }
    ],
    "limitations": [
      "Static analysis only - runtime behavior not verified"
    ]
  },
  "incident_response": {
    "kill_switch": [
      "Stop the agent process"
    ],
    "containment": [
      "Review logs for unexpected actions"
    ],
    "recovery": [
      "Depends on skill capabilities"
    ]
  },
  "evidence": [
    {
      "evidence_id": "EV:file-1",
      "type": "file_excerpt",
      "title": "_meta.json",
      "file_path": "_meta.json"
    },
    {
      "evidence_id": "EV:file-2",
      "type": "file_excerpt",
      "title": "scripts/vigil-check.js",
      "file_path": "scripts/vigil-check.js"
    },
    {
      "evidence_id": "EV:file-3",
      "type": "file_excerpt",
      "title": "SKILL.md",
      "file_path": "SKILL.md"
    },
    {
      "evidence_id": "EV:cisco-1",
      "type": "file_excerpt",
      "title": "TOOL_ABUSE_SYSTEM_MODIFICATION [CRITICAL] scripts/vigil-check.js:8: *   node vigil-check.js read '{\"path\":\"../../../etc/passwd\"}'",
      "file_path": "scripts/vigil-check.js"
    },
    {
      "evidence_id": "EV:cisco-2",
      "type": "file_excerpt",
      "title": "MCP_SYS_FILE_DESTRUCTION [CRITICAL] scripts/vigil-check.js:7: *   node vigil-check.js exec '{\"command\":\"rm -rf /\"}'",
      "file_path": "scripts/vigil-check.js"
    },
    {
      "evidence_id": "EV:cisco-3",
      "type": "file_excerpt",
      "title": "TOOL_ABUSE_SYSTEM_MODIFICATION [CRITICAL] SKILL.md:44: - Path traversal (../../../etc/shadow) → BLOCK",
      "file_path": "SKILL.md"
    },
    {
      "evidence_id": "EV:cisco-4",
      "type": "file_excerpt",
      "title": "SOCIAL_ENG_VAGUE_DESCRIPTION [LOW] SKILL.md:1: ---",
      "file_path": "SKILL.md"
    },
    {
      "evidence_id": "EV:cisco-5",
      "type": "file_excerpt",
      "title": "MCP_SYS_FILE_DESTRUCTION [CRITICAL] SKILL.md:30: params: { command: 'rm -rf /' },",
      "file_path": "SKILL.md"
    },
    {
      "evidence_id": "EV:cisco-6",
      "type": "file_excerpt",
      "title": "MCP_SQL_TAUTOLOGY [CRITICAL] SKILL.md:43: - SQL injection (DROP TABLE, UNION SELECT) → BLOCK",
      "file_path": "SKILL.md"
    }
  ]
}