Automated security auditing for AI agent code
A protective mark for every line of code.
by NOMARK
Sigil scans repositories, packages, MCP servers, skills, and agent tooling for malicious patterns before they reach your working environment. Nothing runs until it's been scanned, scored, and explicitly approved.
The AI tooling ecosystem moves fast. Developers clone repos from tutorials, install MCP servers with 12 GitHub stars, and pull agent skills from Discord — all of which get direct access to API keys, databases, and cloud credentials. Traditional dependency scanners catch known CVEs but miss the real threat: intentionally malicious code designed to exfiltrate credentials, establish backdoors, or execute arbitrary commands via install hooks.
Sigil fills this gap with a quarantine-first approach.
Manual Install (Current):
# Clone the repository
git clone https://github.com/NOMARJ/sigil.git
cd sigil
# Make the CLI executable and install
chmod +x bin/sigil
sudo cp bin/sigil /usr/local/bin/sigil
# Initialize directories and aliases
sigil installComing Soon:
- Homebrew:
brew install nomarj/sigil - npm:
npm install -g @nomark/sigil - curl installer:
curl -sSL https://sigilsec.ai/install.sh | sh - Docker:
docker pull nomark/sigil:latest
Note: The
sigilpackage name on crates.io is occupied by an unrelated project. We will publish as@nomark/sigilwhen Rust CLI is ready.
→ See all installation methods
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ You run a │────▶│ Sigil │────▶│ Clean? │
│ command │ │ quarantines │ │ Approve. │
│ │ │ & scans │ │ Dirty? │
│ gclone │ │ │ │ Reject. │
│ safepip │ │ 6 phases. │ │ │
│ safenpm │ │ <3 seconds. │ │ You decide. │
└──────────────┘ └──────────────┘ └──────────────┘
Sigil runs six analysis phases on every scan:
| Phase | What It Catches |
|---|---|
| Install Hooks | setup.py cmdclass, npm postinstall, Makefile targets that execute on install |
| Code Patterns | eval(), exec(), pickle.loads, child_process, dynamic imports |
| Network / Exfil | Outbound HTTP, webhooks, socket connections, DNS tunnelling |
| Credentials | ENV var access, .aws, .kube, SSH keys, API key patterns |
| Obfuscation | Base64 decode, charCode, hex encoding, minified payloads |
| Provenance | Git history depth, author count, binary files, hidden files |
Each finding is weighted and scored. You get a clear verdict:
| Score | Verdict | What Happens |
|---|---|---|
| 0 | CLEAN | Auto-approve (configurable) |
| 1–9 | LOW RISK | Approve with review |
| 10–24 | MEDIUM RISK | Manual review required |
| 25–49 | HIGH RISK | Blocked, requires override |
| 50+ | CRITICAL | Blocked, no override |
# Clone a repo into quarantine, scan it, get a verdict
sigil clone https://github.com/someone/cool-mcp-server
# Download and scan a pip package before installing
sigil pip some-agent-toolkit
# Download and scan an npm package before installing
sigil npm langchain-community-plugin
# Scan a directory or file already on disk
sigil scan ./downloaded-skill/
# Download and scan any URL
sigil fetch https://example.com/agent-tool.tar.gz
# Manage quarantine
sigil list # See all quarantined items
sigil approve abc123 # Move approved code out of quarantine
sigil reject abc123 # Permanently delete quarantined codeAfter running sigil install, these aliases are available in every terminal session. Use the commands you already know — Sigil protects you automatically:
| Alias | What It Does |
|---|---|
gclone <url> |
git clone with quarantine + scan |
safepip <pkg> |
pip install with scan first |
safenpm <pkg> |
npm install with scan first |
safefetch <url> |
Download + quarantine + scan |
audithere |
Scan current directory |
qls |
Quarantine status |
qapprove / qreject |
Approve or reject most recent item |
# Auto-scan any repo on clone (global git hook)
sigil install --git-hooksSigil works where you work. Install the plugin for your editor, or connect AI agents via MCP:
| Integration | Coverage | Install |
|---|---|---|
| VS Code / Cursor / Windsurf | Scan workspace, files, selections, packages. Findings in Problems panel. | plugins/vscode |
| JetBrains IDEs | IntelliJ, WebStorm, PyCharm, GoLand, CLion, etc. Tool window + inline annotations. | plugins/jetbrains |
| Claude Code Plugin | 4 skills + 2 security agents. Auto-suggests scans on clone/install. | plugins/claude-code |
| Claude Code (MCP) | 6 tools: scan, scan_package, clone, quarantine, approve, reject. | plugins/mcp-server |
| GitHub Actions | Run Sigil as a CI check on every PR. | action.yml |
Install as a native Claude Code plugin for skills, agents, and auto-recommendations:
# Add Sigil marketplace
claude plugin marketplace add https://github.com/NOMARJ/sigil.git
# Install the plugin
claude plugin install sigil-security@sigilThis provides:
/sigil-security:scan-repo- Scan repositories/sigil-security:scan-package- Audit npm/pip packages/sigil-security:scan-file- Analyze specific files/sigil-security:quarantine-review- Manage findings@security-auditor- Expert threat analysis agent@quarantine-manager- Quarantine workflow agent
→ See Claude Code plugin documentation
Alternatively, use the MCP server for tool-based integration:
{
"mcpServers": {
"sigil": {
"command": "node",
"args": ["/path/to/sigil/plugins/mcp-server/dist/index.js"]
}
}
}Build the MCP server first:
cd plugins/mcp-server && npm install && npm run buildnpx @nomark/sigil-mcp-server will be available once the package is published to npm.
When authenticated (sigil login), Sigil connects to a community-powered threat intelligence database. Every scan from every user contributes anonymised pattern data. When someone flags a malicious package, the threat signature propagates to all users within minutes.
No source code is ever transmitted — only pattern match metadata (which rules triggered, file types, risk scores).
Offline mode: All six scan phases run locally without authentication. Threat intelligence lookups are skipped, but you still get full local analysis.
# Authenticate to enable threat intel
sigil loginLearn more about authentication →
| Capability | Sigil | Aardvark/Codex | Claude Code | Snyk | Semgrep |
|---|---|---|---|---|---|
| Pre-install quarantine | ✅ | ❌ | ❌ | ❌ | ❌ |
| Supply-chain attacks | ✅ Primary | ❌ | |||
| Install hook scanning | ✅ | ❌ | ❌ | ❌ | ❌ |
| Malware analysis | ✅ Dedicated | ❌ | ❌ | ||
| AI-powered analysis | ❌ | ✅ GPT-5 | ✅ Claude | ❌ | |
| Deep vuln scanning | ✅ 92% recall | ✅ Primary | ✅ | ✅ | |
| Auto-patching | ❌ | ✅ Codex | ✅ AI patches | ❌ | |
| AI agent / MCP focus | ✅ | ✅ | ✅ | ❌ | ❌ |
| Multi-ecosystem | ✅ All | ✅ | ✅ | ✅ | ✅ |
| Free tier | ✅ Full | Private beta | Waitlist | Limited | OSS |
The Complete Stack:
- Sigil (Layer 1): Quarantine-first before code enters your environment (supply-chain protection)
- Aardvark/Codex Security (Layer 2): Deep AI analysis after code is committed (GPT-5 powered)
- Claude Code Security (Layer 2): Deep AI analysis after code is committed (Claude powered)
Positioning:
- Aardvark and Claude Code Security compete (both do deep vulnerability scanning)
- Sigil complements both (different layer: pre-install vs post-commit)
- Use Sigil + (Aardvark OR Claude Code Security) for complete coverage
→ See complete integration guide
Snyk and Dependabot flag known CVEs — they don't scan for intentional malice. Socket.dev is npm-only. Semgrep is a pattern engine, not a workflow. The AI security stack (Sigil + Aardvark/Claude Code Security) provides defense-in-depth.
The CLI is free and open source with all six scan phases. Paid tiers add cloud-backed threat intelligence, scan history, team management, and CI/CD integration.
| Open Source | Pro — $29/mo | Team — $99/mo | |
|---|---|---|---|
| Full CLI scanning | ✅ | ✅ | ✅ |
| Cloud threat intelligence | — | ✅ | ✅ |
| Scan history | — | 90 days | 1 year |
| Web dashboard | — | ✅ | ✅ |
| Team management & policies | — | — | Up to 25 seats |
| CI/CD integration | — | — | ✅ |
| Slack / webhook alerts | — | — | ✅ |
Comprehensive documentation is available in the docs/ directory:
Getting Started:
- Getting Started Guide — Installation and first scan
- CLI Reference — All commands and options
- Authentication Guide — Connect to Sigil Pro ⭐ NEW
- Configuration — Environment variables and settings
Technical Deep Dives:
- Architecture Overview — System design
- Detection Patterns — What Sigil scans for
- Threat Intelligence 2025 — Current threat landscape
- API Reference — REST API endpoints
Integration Guides:
- CI/CD Integration — GitHub Actions, GitLab CI, etc.
- IDE Plugins — VS Code, JetBrains setup
- MCP Server — Use Sigil as an MCP tool for AI agents
- AI Security Stack — Sigil + Aardvark + Claude Code Security ⭐ NEW
- Claude Code Security Integration — Defense-in-depth with Anthropic
- AI Agent Integration — Claude Code, MCP, and other AI agents
Security Research:
- Case Study: OpenClaw Attack — Real-world supply chain attack
- Prompt Injection Patterns — Detection techniques
- Malicious Signatures — Threat signature database
See ROADMAP.md for the full roadmap.
Today: Quarantine-first scanning for pip, npm, and git repos. Six-phase behavioral detection. Cloud threat intelligence with community reporting and signature sync. Dashboard with scan history, team management, and policy controls. Rust CLI binary, VS Code / Cursor / Windsurf extension (.vsix), JetBrains plugin, MCP server for AI agents, and GitHub Actions integration.
Now: Hosted cloud — sign up and scan without running infrastructure.
Next: Homebrew tap and npm package. Docker image and Go/Cargo scanning. VS Code Marketplace and JetBrains Marketplace listings. Custom scan rules via YAML. Enterprise SSO, RBAC, and audit logs. GitLab, Jenkins, and CircleCI integrations.
We welcome contributions. See CONTRIBUTING.md for guidelines.
Found a vulnerability? Please report it responsibly. See SECURITY.md.
Apache 2.0 — see LICENSE for details.
SIGIL by NOMARK
A protective mark for every line of code.