Show HN: Scan your AI agents for dangerous capabilities
Summary
MakerChecker is an open-source security layer for AI agents that enforces deny-by-default permissions, human approvals, and provides a cryptographically signed audit trail. It scans agent code for dangerous capabilities and prevents agents from approving their own actions.
View Cached Full Text
Cached at: 07/06/26, 02:03 PM
makerchecker/MakerChecker
Source: https://github.com/makerchecker/MakerChecker
π‘οΈ MakerChecker
The open-source security layer for AI agents.
Deny-by-default enforcement, human approvals, and a cryptographically signed audit trail β so your agent runs only what itβs granted and provably canβt approve its own work.
Your agents keep running in their existing framework (LangChain, Claude SDK, CrewAI). MakerChecker sits in front of every tool call as a checkpoint and behind it as a signed ledger: an agent acts only through a role, runs only the skills it was granted, cannot exceed its limits, and cannot approve its own work.
π Quick Start
1 β Scan your code
Find what your agent can already do on its own, classified by risk. No install, nothing leaves your machine:
npx @makerchecker/scan .
It flags every consequential action β deleting data, moving money, running shell commands, exfiltrating secrets β names each against the real incident it resembles, and can write the governance code for you with --fix. β packages/scan
2 β Guarantee its behavior
Import the controls and wrap any tool. The agent can now only run what its role was granted β a call it isnβt allowed is denied before it executes:
npm i @makerchecker/embedded
import { createGovernor, GovernanceDeniedError } from "@makerchecker/embedded";
const gov = createGovernor()
.defineSkill("place-order@1", { riskTier: "high" })
.defineRole("agent")
.defineRole("risk-desk")
.grant("risk-desk", "place-order@1") // the agent is NOT granted it β deny by default
.defineAgent("trader", "agent");
// Wrap your tool once. Now the agent structurally can't fire it.
const placeOrder = gov.governedTool("trader", "place-order@1", (order) => broker.submit(order));
try {
await placeOrder({ symbol: "BTC", qty: 10 });
} catch (err) {
if (err instanceof GovernanceDeniedError) console.log(err.code); // "skill_not_granted"
}
High-risk skills go to a separate role, so an agent can never approve its own work β and every decision, allowed or denied, commits to a signed audit log. β packages/embedded
3 β Working with auditors?
Step 2 already writes a signed log. When auditors need a durable, queryable, tamper-evident record β plus a human-approval inbox and a review console β run the self-hosted server:
docker compose up
Every decision is Ed25519-signed and hash-chained: change any row and verification breaks. Export a bundle and anyone verifies it offline β no database, no trust in the process that produced it. β full server setup below
These are three independent packages β
mc scan,@makerchecker/embedded, and the server β that enforce the same controls and write the same signed audit format. Adopt any one on its own.
π¬ Governed Use Cases
Runnable examples of agents doing consequential work behind a human gate:
- Pharmacovigilance case processing β an agent triages adverse-event reports, but a medical reviewer signs before an expedited 15-day regulatory report transmits. examples/pv-icsr-processing
- Medical-device (MDR) complaint triage β a regulatory officer decides reportability behind a gate before draft reports are generated. examples/mdr-reportability-triage
- Oncology patient access β an agent handles benefit matching but is blocked from submitting copay enrollments without a specialist signing. examples/oncology-patient-access
- Daily cash reconciliation β a finance agent reconciles transactions but locks at exception gates until a cash officer signs off. examples/daily-cash-reconciliation
π Integrate With Your Framework
Drop-in connectors govern the tools you already have:
- LangChain β
packages/connector-langchain - Claude Agent SDK β
packages/connector-claude-agent - TypeScript / Python SDKs β
packages/sdkΒ·packages/sdk-python
When you run the server, the SDKβs governedTool routes each call through a proxy session for centralized authorization and recording:
import { createClient, governedTool, GovernanceDeniedError } from "@makerchecker/sdk";
const client = createClient({ baseUrl: "http://localhost:3000", apiKey: "mk_..." });
const { session } = await client.proxy.openSession({ label: "recon-run" });
const match = governedTool(
client, session.id,
"recon-preparer", // agent whose role grants are evaluated
"txn-match@1", // skillRef: name@version
(input) => matchTxns(input),
);
await match({ statement, ledger }); // throws GovernanceDeniedError if denied
await client.proxy.closeSession(session.id);
π₯οΈ Self-Hosted Server (optional)
Run the full gateway when you need centralized enforcement across many agents, a human-approval inbox, and a review console. docker compose up brings up Postgres, the server on localhost:3000, and a seeded demo, printing two API keys β an admin key (your agent authenticates runs) and an officer key (a human reviewer approves gated actions).
The seeded pharmacovigilance flow parks at a medical-review gate where the requester is refused as its own approver:
export H='authorization: Bearer mk_...' # admin key
export OFFICER='authorization: Bearer mk_...' # officer key
curl -X POST localhost:3000/api/flows/pv-icsr-processing/runs -H "$H" -H 'content-type: application/json' -d '{}'
curl localhost:3000/api/approvals -H "$H"
# The requester cannot approve their own run β rejected with 403
curl -X POST localhost:3000/api/approvals/<id>/decision -H "$H" -H 'content-type: application/json' \
-d '{"decision":"approved","reason":"self-approval attempt"}'
# A separate officer signs; only now does the action proceed
curl -X POST localhost:3000/api/approvals/<id>/decision -H "$OFFICER" -H 'content-type: application/json' \
-d '{"decision":"approved","reason":"Seriousness confirmed; file 15-day expedited ICSRs."}'
curl localhost:3000/api/audit/verify -H "$H"
Full setup, Kubernetes/Helm, and running with live models: docs/quickstart.md.
π Verifiable Audit Trail
Every decision and tool call commits to a hash-chained log β each event a SHA-256 over the RFC 8785 canonical JSON of the event, chained through prev_hash from genesis and Ed25519-signed. Change any row and verification breaks. Anyone can verify an exported bundle offline β no database, and no trust in the process that produced it:
npx @makerchecker/proof-verifier verify bundle.json
Spec: docs/audit-spec.md.
ποΈ Packages
| Package | License | What it is |
|---|---|---|
packages/scan | Apache-2.0 | mc scan β finds and classifies what your agent can do. |
packages/embedded | Apache-2.0 | Importable enforcement primitives β governance in your code. |
packages/proof-verifier | Apache-2.0 | Independently verify a signed audit bundle offline. |
packages/sdk | Apache-2.0 | TypeScript client + governedTool for the server. |
packages/sdk-python | Apache-2.0 | Python client + governed_tool. |
packages/connector-langchain | Apache-2.0 | Govern LangChain tools. |
packages/connector-claude-agent | Apache-2.0 | Govern Claude Agent SDK tools. |
packages/server | AGPL-3.0 | Self-hosted Fastify + Postgres gateway, flow engine, audit writer. |
packages/web | AGPL-3.0 | React console: approvals inbox, run log, registry. |
packages/shared | AGPL-3.0 | Domain types, canonical JSON, crypto utilities. |
π License & Contributing
- Server, Web, Shared: AGPL-3.0.
mc scan,embedded, SDKs, connectors, examples: Apache-2.0 β embed them in closed-source agents freely.- Commercial (non-copyleft) licensing: [email protected].
Contributing: CONTRIBUTING.md Β· Security: SECURITY.md Β· Code of Conduct: CODE_OF_CONDUCT.md
Similar Articles
@AiCamila_: Advanced Agent Security Hardening Beyond basic prompt injection defense, Advanced Agent Security includes tool sandboxiβ¦
A security expert shares a cheatsheet on advanced agent security hardening, covering tool sandboxing, output validation, data loss prevention, adversarial testing, and runtime policy enforcement, emphasizing continuous security practices for production AI agents.
Who gave your AI agent authority?
Discusses the security gap in AI agent workflows where agents assume human oversight at critical steps, and proposes a runtime control plane that enforces permissions and requires human approval for destructive actions, demonstrated with a Tandem demo.
Show HN: Halo β open-source, tamper-evident runtime evidence for AI agents
Halo is an open-source tool providing tamper-evident runtime records for AI agents, enabling auditable logs of agent actions that can be verified by third parties.
Skill Inspector
Skill Inspector is a developer tool that audits AI agent skills to help prevent malware risks.
Free AI Agent Security Assessment
Antitech is offering free early-access security assessments for AI agents, testing against attack vectors like prompt injection, tool abuse, and data leakage, providing a vulnerability report and discounts for participants.