We built an open benchmark for AI agent guardrails, ran four tools against 84 real attack samples, and published every result. No cherry-picked demos. No "99% detection" claims you can't reproduce.
Here's what we found 👇🏻
Your AI coding agent can read every file, run any command, and install any skill on your machine — with zero security review.
One malicious skill = stolen keys, drained wallet, wiped disk.
AgentGuard is the security layer that says no before it runs.
Most "agent security" reads prompts. The damage isn't in the prompt. It's in the bash command, the .env read, the deploy the agent fires three steps later.
AgentGuard guards the actions, not the text. Runtime, local-first, open source.
A fleet needs three things, always on:
— Check every skill before it loads anywhere.
— Stop dangerous moves the moment they happen, no matter which agent started the chain.
— Watch every day. Clean tools ship bad updates.
One pass at the door is a speed bump.
AI agents + crypto wallets is a disaster waiting to happen: wallet drainers, unlimited approvals, signature replay, reentrancy.
AgentGuard scans for all of it before your agent signs anything.
Your private keys live on the same laptop as your AI coding agent. So do mine. Claude Code, Codex, Cursor, Copilot, OpenClaw, Hermes — they install community skills with zero security review, and a post-install hook runs before you've finished the README. That proximity is the entire attack surface.
One command. Thirty seconds. New plugins start locked down — they only get access to what they actually need. Your linter doesn't need your wallet. Your formatter doesn't need your cloud keys. That's the whole point.
https://t.co/BxPQQs2Syk
Your AI agent has root access and zero security awareness.
Plain English: it can touch every password, cloud account, deploy script, and wallet on your machine. And it trusts every plugin you add like a lifelong friend.
And it doesn't stop after install day. Daily patrols catch what one-time scans miss. Did a plugin quietly update? Are your secrets still private? Is anything calling home that shouldn't be? You get a clear health report, not a mystery to solve.
We’re putting money where the mechanism is.
Introducing GoPlus Growth Fund — with $50K initial deployment
to support quality projects in the @SafuSkill × @fourdotmemezh OpenFour ecosystem.
Here’s what makes it different from every other “ecosystem fund”:
🔸 Not for profit.
The fund doesn’t exit. Doesn’t trim. Doesn’t sell.
Every position is held forever.
🔸 Fully on-chain.
Independent address. Public dashboard.
Every buy, every LP, every wallet — verifiable on BscScan.
🔸 Supports organic growth only.
We allocate to projects with real momentum,
verified builders, and real users — not artificial pumps.
🔸 Real builders only.
GitHub-verified creators.
No farming. No theater.
After deep allocation, projects can choose:
→ Burn the tokens — deflationary signal
→ Or pair them as LP — liquidity for the long run.
Either way, the fund never sells.
This is what an ecosystem fund looks like
when a security company builds it.
Verifiable, not promised.
Address disclosed before first buy.
Stay tuned.
下一个时代的生态基金,长这���。
#GoPlusGrowthFund #SkillCoin #OpenFour
You approved "fetch database schema." Your MCP server used that approval to read .env, exfiltrate your AWS credentials, and POST your SSH keys to a webhook.
Same session. Same permission grant.
The agent didn't flag it — because from its perspective, a tool returned data and it acted on it. That's not a bug. That's the architecture.
AgentGuard enforces what the protocol doesn't.
Runtime hooks — syscall-level interception before execution. Writes to .env/.ssh/.aws denied.
Unregistered outbound domains rejected. curl|sh, rm -rf caught before fork(). Every block logged with full attribution: which server, which tool, which payload.
Skill scanning — 24 rules before a skill runs. Backdoors, obfuscated scripts, hardcoded webhooks, Web3 drains. Trust Registry auto-attests scope on install; exceed it and you're blocked with the exact call logged.
Daily patrol — 8 integrity checks, 6-dimension health score. Drift detection, not point-in-time audits.