🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Vigil

by @robinoppenstam

AI agent safety guardrails for tool calls. Use when (1) you want to validate agent tool calls before execution, (2) building agents that run shell commands, file operations, or API calls, (3) adding a safety layer to any MCP server or agent framework, (4) auditing what your agents are doing. Catches destructive commands, SSRF, SQL injection, path traversal, data exfiltration, prompt injection, and credential leaks. Zero dependencies, under 2ms.

Versionv0.1.1
Downloads1,351
TERMINAL
clawhub install vigil

πŸ“– About This Skill


name: vigil description: AI agent safety guardrails for tool calls. Use when (1) you want to validate agent tool calls before execution, (2) building agents that run shell commands, file operations, or API calls, (3) adding a safety layer to any MCP server or agent framework, (4) auditing what your agents are doing. Catches destructive commands, SSRF, SQL injection, path traversal, data exfiltration, prompt injection, and credential leaks. Requires npm package vigil-agent-safety (12.3KB, under 2ms latency). Source: github.com/hexitlabs/vigil

Vigil β€” Agent Safety Guardrails

Validates what AI agents DO, not what they SAY. Drop-in safety layer for any tool-calling agent.

Prerequisites

This skill requires the vigil-agent-safety npm package (12.3KB, Apache 2.0 license):

npm install vigil-agent-safety

  • Source code: https://github.com/hexitlabs/vigil
  • npm: https://www.npmjs.com/package/vigil-agent-safety
  • The npm package has zero runtime dependencies. This skill is a wrapper that calls that package.
  • Quick Start

    import { checkAction } from 'vigil-agent-safety';

    const result = checkAction({ agent: 'my-agent', tool: 'exec', params: { command: 'rm -rf /' }, });

    // result.decision === "BLOCK" // result.reason === "Destructive command pattern" // result.latencyMs === 0.3

    What It Catches

  • Destructive commands (rm -rf, mkfs, reverse shells) β†’ BLOCK
  • SSRF (metadata endpoints, localhost, internal IPs) β†’ BLOCK
  • Data exfiltration (curl to external, .ssh/id_rsa access) β†’ BLOCK
  • SQL injection (DROP TABLE, UNION SELECT) β†’ BLOCK
  • Path traversal (../../../etc/shadow) β†’ BLOCK
  • Prompt injection (ignore instructions, [INST] tags) β†’ BLOCK
  • Encoding attacks (base64 decode, eval(atob())) β†’ BLOCK
  • Credential leaks (API keys, AWS keys, tokens) β†’ ESCALATE
  • 22 rules. Zero dependencies. Under 2ms per check.

    Modes

    import { configure } from 'vigil-agent-safety';

    // warn = log violations but don't block (recommended to start) configure({ mode: 'warn' });

    // enforce = block dangerous calls configure({ mode: 'enforce' });

    // log = silent logging only configure({ mode: 'log' });

    Use with Clawdbot

    Add Vigil as a safety layer for your agent tool calls. The scripts/vigil-check.js wrapper lets you validate from the command line:

    # Check a tool call
    node scripts/vigil-check.js exec '{"command":"rm -rf /"}'
    

    β†’ BLOCK: Destructive command pattern

    Check a safe call

    node scripts/vigil-check.js read '{"path":"./README.md"}'

    β†’ ALLOW

    Policies

    Load built-in policy templates:

    import { loadPolicy } from 'vigil-agent-safety';

    loadPolicy('restrictive'); // Tightest rules loadPolicy('moderate'); // Balanced (default) loadPolicy('permissive'); // Minimal blocking

    CLI

    npx vigil-agent-safety check --tool exec --params '{"command":"ls -la"}'
    npx vigil-agent-safety policies
    

    Links

  • GitHub: https://github.com/hexitlabs/vigil
  • npm: https://www.npmjs.com/package/vigil-agent-safety
  • Docs: https://hexitlabs.com/vigil
  • πŸ’‘ Examples

    import { checkAction } from 'vigil-agent-safety';

    const result = checkAction({ agent: 'my-agent', tool: 'exec', params: { command: 'rm -rf /' }, });

    // result.decision === "BLOCK" // result.reason === "Destructive command pattern" // result.latencyMs === 0.3

    βš™οΈ Configuration

    This skill requires the vigil-agent-safety npm package (12.3KB, Apache 2.0 license):

    npm install vigil-agent-safety
    

  • Source code: https://github.com/hexitlabs/vigil
  • npm: https://www.npmjs.com/package/vigil-agent-safety
  • The npm package has zero runtime dependencies. This skill is a wrapper that calls that package.