Skip to main content

What this is for

This page explains what gw-cli discover finds on a machine and how each artifact is scored. The inventory is broad — the whole agent extension surface, not just skills — and the scoring is layered: a primary engine, plus offline augmentation passes designed to catch the evasion techniques that beat file-only scanners.

The inventory surface

discover --deep walks the machine and records every AI artifact it finds:
CategoryWhat it covers
AI tools / appsDesktop apps, CLIs, and editor extensions — Claude Code, Claude Desktop, Cursor, Codex, Gemini CLI, GitHub Copilot, Cline, Continue, Goose, Amazon Q, and many more.
AccountsFor each tool, whether the signed-in account is corporate or personal, inferred from the email domain.
Agent projectsFolders that carry agent configuration — skills, MCP configs, and add-ons.
SkillsSKILL.md skills, scored individually and grouped by project.
MCP serversRegistered MCP server configs.
CommandsSlash/command definitions.
HooksLifecycle hooks that run shell on agent events.
SubagentsDelegated agents and the tools they’re granted.
PluginsPackaged extensions.

Risk levels

Every scored artifact is normalized to one of five levels, ordered lowest to highest:
LevelMeaning
NoneNo risky patterns detected.
LowOnly minor findings.
MediumSome risky patterns worth a review.
HighHigh-risk behavior — flagged.
CriticalSecret-exfiltration, destructive, or injection patterns — flagged.
High and Critical are the flagged levels — the ones the dashboard badges and vet blocks on by default.

Scoring engines

gw-cli scores with one of two engines. It auto-detects which is available and prints the active engine in its output. MCP configs are always scored by a config-aware analyzer (reliable on JSON) rather than the skill engine — it flags hardcoded secrets in env, non-TLS http:// endpoints, and shell-launch commands. Hooks and commands are scored with shell + network heuristics; subagents are flagged for overly broad tool grants.

Offline augmentation

On top of the primary engine, every scan record runs through offline augmentation passes. These counter the techniques research has shown beating file-only scanners (including SkillSpector), and they need no network:
CodeWhat it catches
IOC-KNOWNExact match of a disclosed campaign indicator → escalated to Critical.
PADDINGAn oversized instruction file with a low-entropy tail — a size-cap evasion trick.
HIDDEN-UNICODEStrips zero-width, Tag, and bidirectional codepoints, then re-scans the de-obfuscated text.
So a hardcoded token in an MCP config, a curl … | bash hidden with invisible characters, or a known malicious indicator all surface as findings — even against an artifact crafted to slip past a plain file scan.

External-reference index

Beyond flagging suspicious links, the scanner builds a typed, persisted index of every external resource an artifact points the agent at — the durable graph the drift watcher diffs and a future network trust-scorer will enrich. Each reference records its kind (URL, repository, npm/PyPI package, release download, remote skill/instructions, paste host, wallet address), a coarse host class (vendor, code host, registry, paste, free-tier/throwaway, IP), its version spec, and whether it is pinned to an exact version/tag/commit. Only the host/package identity and version metadata are stored — never a raw URL that might carry a token. The offline external-reference classifier turns high-signal references into findings:
CodeWhat it catches
EXT-REMOTE-SKILLFetches a remote SKILL.md / instructions file the agent will follow.
EXT-PASTEReferences a paste/snippet host (rentry, pastebin, glot, …).
EXT-RELEASEDownloads a release/binary artifact.
EXT-LOOKALIKEA brand-lookalike domain (edit-distance 1 from a known vendor).
EXT-TYPOSQUATAn npm/PyPI package that typosquats a popular one.

Post-approval drift

An artifact that scored clean can be edited — or silently auto-updated — into something malicious after you first trusted it (a rug-pull / TOCTOU). On every scan the mutation watcher diffs the fresh record against the last-stored (approved) baseline for that path and raises drift findings:
CodeWhat it catches
DRIFT-NEW-REFThe artifact added an external reference it did not have before — a new host, package, paste, remote skill, or wallet. A new paste/remote-skill/wallet reference is High.
DRIFT-LOST-PINA reference that used to be pinned to an exact version dropped its pin and now floats — the classic “install pkg@1.2.3, later float to a malicious release.” High.
DRIFT-ESCALATIONThe artifact’s overall risk rose since the baseline.
This is the on-endpoint-detectable half of the flagship supply-chain attack (CVE-2025-54136). discover prints a one-line summary (Post-approval drift: N change(s)…) when anything drifted.

Install-lifecycle & CI-workflow analysis

The highest-severity confirmed payloads often hide in install plumbing rather than the skill body. A dedicated pass inspects each artifact’s files:
CodeWhat it catches
LIFECYCLE-FETCH-EXECRemote content piped into an interpreter (curl … | bash, bash -c "$(curl …)", iwr … | iex) in a script or “prerequisite” block. High.
CI-FETCH-EXECThe same fetch-exec inside a GitHub Actions workflow or action.yml. Critical.
NPM-LIFECYCLE-FETCHA preinstall / install / postinstall script in package.json that fetches remote content on install. Critical.
CI-UNTRUSTED-CHECKOUTA pull_request_target workflow that checks out untrusted PR code. High.
CI-INJECTIONUntrusted ${{ github.event.* }} data interpolated into a run: shell step. High.
INSECURE-DESERIALIZEpickle.loads / marshal.loads / yaml.load without a safe loader. Medium.

Metadata, posture & MCP scope

Three more offline passes catch risks that live in the declaration and environment around a skill rather than its code:
CodeWhat it catches
META-MISSINGA SKILL.md with no frontmatter, or missing the name / description identity fields the platform expects — the signature of a skill ported from another format with its metadata stripped.
META-MISMATCHThe declared tool list omits shell execution, but the body runs shell — the manifest understates what the skill does.
META-UNDECLARED-NETThe description discloses no network use, but the body runs egress commands (curl, wget, iwr, raw sockets).
POSTURE-BYPASSAn agent settings file disables permission prompts (bypassPermissions) — every skill runs unattended.
POSTURE-ALLOW-ALLA wildcard shell allowlist (Bash(*), *) pre-approves arbitrary commands.
POSTURE-HOOKAn auto-run lifecycle hook pipes a download into a shell, evals, elevates, or deletes recursively.
MCP-EXFILA filesystem MCP server granted a root of /, ~, or a whole home directory — broad read paired with the agent’s network reach is the minimum exfiltration kit.

OWASP Agentic Skills Top 10

Every rule Guardway raises is tagged with the OWASP Agentic Skills Top 10 item it detects (AST01–AST10), and the CLI + dashboards compute a compliance level per machine from those findings. Guardway has detection-side coverage of all ten items — it detects and reports; it never blocks or sandboxes.
ItemWhat it coversExample rules
AST01 Malicious Skillscredential stealers, reverse shells, injectionNET1, E1, COMBO, PI1, SH1, IOC-KNOWN
AST02 Supply Chaintyposquats, look-alikes, unsigned releasesEXT-TYPOSQUAT, EXT-LOOKALIKE, RP*, CI-*
AST03 Over-Privilegeover-broad skill / MCP scopeMCP1, MCP-EXFIL, CRED, LP*
AST04 Insecure Metadataunderstated / mismatched manifestsMETA-MISMATCH, META-UNDECLARED-NET
AST05 External Instructionsmutable remote content the skill followsEXT-REMOTE-SKILL, EXT-PASTE
AST06 Weak Isolationno sandbox / bypassed promptsPOSTURE-BYPASS, POSTURE-ALLOW-ALL, MCP-SHELL
AST07 Update Driftsilent post-approval mutationDRIFT-NEW-REF, DRIFT-LOST-PIN, DRIFT-ESCALATION
AST08 Scanner Evasionpadding, hidden unicode, obfuscationPADDING, HIDDEN-UNICODE, OB1
AST09 Governanceno inventory / approval / auditGOV-UNAPPROVED (see below)
AST10 Cross-Platform Reuseported skill missing its metadataMETA-MISSING

Compliance scoring

Each item is scored from the findings present on the machine:
StatusMeaning
PASSno finding maps to this item
ATTENTIONonly minor findings map (severity < 25)
FAILat least one serious finding maps (severity ≥ 25)
A machine’s compliance % = (PASS = 1 · ATTENTION = 0.5 · FAIL = 0) across the ten items ÷ 10. gw-cli scan prints each finding’s AST tag (e.g. META-UNDECLARED-NET … (AST04)); the local dashboard shows an OWASP panel; the Guardway console rolls it up across the fleet.
AST vs ASI — two different OWASP frameworks. The endpoint side (this CLI) maps to the Agentic Skills Top 10 (AST) — threats in installed skills at rest. The platform Agents page maps to the Agentic Security Initiative (ASI) — threats in a running agent. They are complementary, not the same list: AST07 Update Drift and AST09 Governance have no runtime equivalent; ASI06 Memory Poisoning and ASI10 Rogue Agents have no static-skill equivalent. AST is the risk at rest (the leading indicator); ASI is the live exploitation — e.g. an over-privileged skill (AST03) is what a running agent later abuses (ASI03).

Governance (AST09)

Inventory only governs if new arrivals are surfaced. Run gw-cli approve after reviewing a discover run to record the current skills, commands, subagents, and MCP configs as the approved baseline (path + content hash → <data-dir>/approved.json). From then on discover flags anything new or changed outside that baseline:
CodeWhat it catches
GOV-UNAPPROVEDAn artifact that appeared or changed outside the approval flow — even if its content scans clean, because nobody approved it.
Governance is opt-in and local — no baseline file, no findings. Until you run approve, AST09 reads as ATTENTION (“no approval baseline”); a baseline with no violations makes it PASS.

Vet verdicts

gw-cli vet collapses an artifact’s overall risk into a single headline verdict word plus one-line advice. The mapping:
Overall riskVerdictAdvice
Critical / HighDO NOT INSTALLHigh-risk behavior found. Do not install without a careful manual review.
MediumREVIEW FIRSTSome risky patterns found. Review the flagged artifacts before installing.
LowLIKELY OKOnly minor findings. Skim the flagged lines, then it’s likely safe.
NoneCLEANNo risky patterns detected. Still review the code before granting access.
The process exits non-zero at or above --fail-on (default high), so you can gate an install:
gw-cli vet owner/repo && echo "clone + install…"    # only proceeds if the vet passed

Limits

  • The built-in engine over-flags by design; install SkillSpector for production-grade scoring.
  • Detection is static — it inspects files, it does not execute them. Drift detection catches the local mutation of an approved artifact (the on-endpoint half of a TOCTOU/rug-pull); confirming that a remote URL’s served content has flipped, or judging live runtime intent, requires the network and is out of scope for on-endpoint static analysis.
  • Drift needs a baseline: the first scan of an artifact establishes it, so drift findings appear from the second scan onward. Keep the inventory fresh (see schedule) so the baseline stays current.
  • On Windows, some app-config paths (e.g. the Claude desktop app under %APPDATA%) are still being added; Claude Code and project-folder artifacts are covered today.