Show HN: Scan your AI agents for dangerous capabilities

Hacker News Top Tools

Summary

MakerChecker is an open-source security layer for AI agents that enforces deny-by-default permissions, human approvals, and provides a cryptographically signed audit trail. It scans agent code for dangerous capabilities and prevents agents from approving their own actions.

No content available
Original Article
View Cached Full Text

Cached at: 07/06/26, 02:03 PM

makerchecker/MakerChecker

Source: https://github.com/makerchecker/MakerChecker

πŸ›‘οΈ MakerChecker

The open-source security layer for AI agents.

Deny-by-default enforcement, human approvals, and a cryptographically signed audit trail β€” so your agent runs only what it’s granted and provably can’t approve its own work.

CI Release License Stars

Website Β· Live Demo Β· mc scan Β· Docs

Your agents keep running in their existing framework (LangChain, Claude SDK, CrewAI). MakerChecker sits in front of every tool call as a checkpoint and behind it as a signed ledger: an agent acts only through a role, runs only the skills it was granted, cannot exceed its limits, and cannot approve its own work.


πŸš€ Quick Start

1 β€” Scan your code

Find what your agent can already do on its own, classified by risk. No install, nothing leaves your machine:

npx @makerchecker/scan .

It flags every consequential action β€” deleting data, moving money, running shell commands, exfiltrating secrets β€” names each against the real incident it resembles, and can write the governance code for you with --fix. β†’ packages/scan

2 β€” Guarantee its behavior

Import the controls and wrap any tool. The agent can now only run what its role was granted β€” a call it isn’t allowed is denied before it executes:

npm i @makerchecker/embedded
import { createGovernor, GovernanceDeniedError } from "@makerchecker/embedded";

const gov = createGovernor()
  .defineSkill("place-order@1", { riskTier: "high" })
  .defineRole("agent")
  .defineRole("risk-desk")
  .grant("risk-desk", "place-order@1")   // the agent is NOT granted it β€” deny by default
  .defineAgent("trader", "agent");

// Wrap your tool once. Now the agent structurally can't fire it.
const placeOrder = gov.governedTool("trader", "place-order@1", (order) => broker.submit(order));

try {
  await placeOrder({ symbol: "BTC", qty: 10 });
} catch (err) {
  if (err instanceof GovernanceDeniedError) console.log(err.code); // "skill_not_granted"
}

High-risk skills go to a separate role, so an agent can never approve its own work β€” and every decision, allowed or denied, commits to a signed audit log. β†’ packages/embedded

3 β€” Working with auditors?

Step 2 already writes a signed log. When auditors need a durable, queryable, tamper-evident record β€” plus a human-approval inbox and a review console β€” run the self-hosted server:

docker compose up

Every decision is Ed25519-signed and hash-chained: change any row and verification breaks. Export a bundle and anyone verifies it offline β€” no database, no trust in the process that produced it. β†’ full server setup below

These are three independent packages β€” mc scan, @makerchecker/embedded, and the server β€” that enforce the same controls and write the same signed audit format. Adopt any one on its own.


πŸ”¬ Governed Use Cases

Runnable examples of agents doing consequential work behind a human gate:

  • Pharmacovigilance case processing β€” an agent triages adverse-event reports, but a medical reviewer signs before an expedited 15-day regulatory report transmits. examples/pv-icsr-processing
  • Medical-device (MDR) complaint triage β€” a regulatory officer decides reportability behind a gate before draft reports are generated. examples/mdr-reportability-triage
  • Oncology patient access β€” an agent handles benefit matching but is blocked from submitting copay enrollments without a specialist signing. examples/oncology-patient-access
  • Daily cash reconciliation β€” a finance agent reconciles transactions but locks at exception gates until a cash officer signs off. examples/daily-cash-reconciliation

πŸ”Œ Integrate With Your Framework

Drop-in connectors govern the tools you already have:

When you run the server, the SDK’s governedTool routes each call through a proxy session for centralized authorization and recording:

import { createClient, governedTool, GovernanceDeniedError } from "@makerchecker/sdk";

const client = createClient({ baseUrl: "http://localhost:3000", apiKey: "mk_..." });
const { session } = await client.proxy.openSession({ label: "recon-run" });

const match = governedTool(
  client, session.id,
  "recon-preparer",   // agent whose role grants are evaluated
  "txn-match@1",       // skillRef: name@version
  (input) => matchTxns(input),
);

await match({ statement, ledger });   // throws GovernanceDeniedError if denied
await client.proxy.closeSession(session.id);

πŸ–₯️ Self-Hosted Server (optional)

Run the full gateway when you need centralized enforcement across many agents, a human-approval inbox, and a review console. docker compose up brings up Postgres, the server on localhost:3000, and a seeded demo, printing two API keys β€” an admin key (your agent authenticates runs) and an officer key (a human reviewer approves gated actions).

The seeded pharmacovigilance flow parks at a medical-review gate where the requester is refused as its own approver:

export H='authorization: Bearer mk_...'         # admin key
export OFFICER='authorization: Bearer mk_...'   # officer key

curl -X POST localhost:3000/api/flows/pv-icsr-processing/runs -H "$H" -H 'content-type: application/json' -d '{}'
curl localhost:3000/api/approvals -H "$H"

# The requester cannot approve their own run β€” rejected with 403
curl -X POST localhost:3000/api/approvals/<id>/decision -H "$H" -H 'content-type: application/json' \
  -d '{"decision":"approved","reason":"self-approval attempt"}'

# A separate officer signs; only now does the action proceed
curl -X POST localhost:3000/api/approvals/<id>/decision -H "$OFFICER" -H 'content-type: application/json' \
  -d '{"decision":"approved","reason":"Seriousness confirmed; file 15-day expedited ICSRs."}'

curl localhost:3000/api/audit/verify -H "$H"

Full setup, Kubernetes/Helm, and running with live models: docs/quickstart.md.


πŸ”’ Verifiable Audit Trail

Every decision and tool call commits to a hash-chained log β€” each event a SHA-256 over the RFC 8785 canonical JSON of the event, chained through prev_hash from genesis and Ed25519-signed. Change any row and verification breaks. Anyone can verify an exported bundle offline β€” no database, and no trust in the process that produced it:

npx @makerchecker/proof-verifier verify bundle.json

Spec: docs/audit-spec.md.


πŸ—‚οΈ Packages

PackageLicenseWhat it is
packages/scanApache-2.0mc scan β€” finds and classifies what your agent can do.
packages/embeddedApache-2.0Importable enforcement primitives β€” governance in your code.
packages/proof-verifierApache-2.0Independently verify a signed audit bundle offline.
packages/sdkApache-2.0TypeScript client + governedTool for the server.
packages/sdk-pythonApache-2.0Python client + governed_tool.
packages/connector-langchainApache-2.0Govern LangChain tools.
packages/connector-claude-agentApache-2.0Govern Claude Agent SDK tools.
packages/serverAGPL-3.0Self-hosted Fastify + Postgres gateway, flow engine, audit writer.
packages/webAGPL-3.0React console: approvals inbox, run log, registry.
packages/sharedAGPL-3.0Domain types, canonical JSON, crypto utilities.

πŸ“„ License & Contributing

  • Server, Web, Shared: AGPL-3.0.
  • mc scan, embedded, SDKs, connectors, examples: Apache-2.0 β€” embed them in closed-source agents freely.
  • Commercial (non-copyleft) licensing: [email protected].

Contributing: CONTRIBUTING.md Β· Security: SECURITY.md Β· Code of Conduct: CODE_OF_CONDUCT.md

Similar Articles

Who gave your AI agent authority?

Reddit r/AI_Agents

Discusses the security gap in AI agent workflows where agents assume human oversight at critical steps, and proposes a runtime control plane that enforces permissions and requires human approval for destructive actions, demonstrated with a Tandem demo.

Skill Inspector

Product Hunt

Skill Inspector is a developer tool that audits AI agent skills to help prevent malware risks.

Free AI Agent Security Assessment

Reddit r/AI_Agents

Antitech is offering free early-access security assessments for AI agents, testing against attack vectors like prompt injection, tool abuse, and data leakage, providing a vulnerability report and discounts for participants.