Vigil
by @robinoppenstam
AI agent safety guardrails for tool calls. Use when (1) you want to validate agent tool calls before execution, (2) building agents that run shell commands, file operations, or API calls, (3) adding a safety layer to any MCP server or agent framework, (4) auditing what your agents are doing. Catches destructive commands, SSRF, SQL injection, path traversal, data exfiltration, prompt injection, and credential leaks. Zero dependencies, under 2ms.
clawhub install vigilπ About This Skill
name: vigil description: AI agent safety guardrails for tool calls. Use when (1) you want to validate agent tool calls before execution, (2) building agents that run shell commands, file operations, or API calls, (3) adding a safety layer to any MCP server or agent framework, (4) auditing what your agents are doing. Catches destructive commands, SSRF, SQL injection, path traversal, data exfiltration, prompt injection, and credential leaks. Requires npm package vigil-agent-safety (12.3KB, under 2ms latency). Source: github.com/hexitlabs/vigil
Vigil β Agent Safety Guardrails
Validates what AI agents DO, not what they SAY. Drop-in safety layer for any tool-calling agent.
Prerequisites
This skill requires the vigil-agent-safety npm package (12.3KB, Apache 2.0 license):
npm install vigil-agent-safety
Quick Start
import { checkAction } from 'vigil-agent-safety';const result = checkAction({
agent: 'my-agent',
tool: 'exec',
params: { command: 'rm -rf /' },
});
// result.decision === "BLOCK"
// result.reason === "Destructive command pattern"
// result.latencyMs === 0.3
What It Catches
22 rules. Zero dependencies. Under 2ms per check.
Modes
import { configure } from 'vigil-agent-safety';// warn = log violations but don't block (recommended to start)
configure({ mode: 'warn' });
// enforce = block dangerous calls
configure({ mode: 'enforce' });
// log = silent logging only
configure({ mode: 'log' });
Use with Clawdbot
Add Vigil as a safety layer for your agent tool calls. The scripts/vigil-check.js wrapper lets you validate from the command line:
# Check a tool call
node scripts/vigil-check.js exec '{"command":"rm -rf /"}'
β BLOCK: Destructive command pattern
Check a safe call
node scripts/vigil-check.js read '{"path":"./README.md"}'
β ALLOW
Policies
Load built-in policy templates:
import { loadPolicy } from 'vigil-agent-safety';loadPolicy('restrictive'); // Tightest rules
loadPolicy('moderate'); // Balanced (default)
loadPolicy('permissive'); // Minimal blocking
CLI
npx vigil-agent-safety check --tool exec --params '{"command":"ls -la"}'
npx vigil-agent-safety policies
Links
π‘ Examples
import { checkAction } from 'vigil-agent-safety';const result = checkAction({
agent: 'my-agent',
tool: 'exec',
params: { command: 'rm -rf /' },
});
// result.decision === "BLOCK"
// result.reason === "Destructive command pattern"
// result.latencyMs === 0.3
βοΈ Configuration
This skill requires the vigil-agent-safety npm package (12.3KB, Apache 2.0 license):
npm install vigil-agent-safety