Skip to main content
Guardway CLI (gw-cli) is the endpoint-side arm of Discovery. Where the GitHub side of Discovery scans your repositories in the cloud, gw-cli runs on a machine — a developer laptop, a build host, a workstation — and inventories the AI tools that are actually installed there: the agents, accounts, agent projects, skills, MCP servers, and extensions a person has on disk, each scored for risk. It is a single self-contained binary. It runs entirely on the machine and stores its results encrypted under ~/.guardway. By default it is local-only — nothing leaves the endpoint. Optionally, you can enroll it with a console API key so it reports its inventory to a central Guardway console for fleet visibility; reporting is strictly opt-in (see Fleet reporting).
Guardway CLI local dashboard

What this is for

Repository Discovery answers “what AI does our source code depend on?” The Guardway CLI answers the complementary question: “what AI tooling is actually installed and running on this endpoint, and is any of it risky?” Use it to:
  • Inventory the AI tools, agent projects, skills, MCP servers, and extensions on a machine.
  • Risk-score each skill / command / subagent / MCP config before it can do harm.
  • Measure the machine against the OWASP Agentic Skills Top 10 — every finding is tagged AST01–AST10 and rolled up into a compliance score.
  • Govern what’s installed: approve a reviewed baseline, then get flagged when anything new or changed appears.
  • Vet a skill or repo from a git URL before installing it — clone-and-scan, never execute.
  • Watch live LLM traffic (model, redacted prompt, tool calls, tokens, destination) on macOS.
It complements repository Discovery: repos tell you what your codebase ships; the endpoint tells you what your engineers are running locally — including things that never touch a repo.

What it finds

TypeExamples
AI tools / appsClaude Code, Claude Desktop, Cursor, Codex, Gemini CLI, Copilot, Cline, Continue, Goose, and many more — desktop apps, CLIs, and editor extensions.
AccountsPer tool, whether the signed-in account is corporate or personal (by email domain).
Agent projectsFolders on disk that contain agent configuration (skills, MCP configs, add-ons).
SkillsSKILL.md skills, risk-scored individually.
MCP serversRegistered MCP server configs, analyzed for hardcoded secrets, non-TLS endpoints, and shell-launch.
Commands / Hooks / Subagents / PluginsThe full agent extension surface, with risky items flagged.

Platforms

Full build. Discovery + risk scoring + local dashboard,
plus live LLM-traffic capture (`gw-cli mitm`).
Apple Silicon by default; x86_64 build on request.
Static-analysis build (Ubuntu 24.04, x86_64 / arm64).
Discovery + risk scoring + dashboard.
Live traffic capture (`mitm`) is macOS-only.
Static-analysis build (Windows 10/11, x86-64).
Discovery + risk scoring + dashboard.
Live traffic capture (`mitm`) is macOS-only.

Install

tar -xzf guardway-gw-cli-macos-arm64.tar.gz
cd guardway-gw-cli
./install.sh
Copies gw-cli to ~/.local/bin and clears the download-quarantine flag. If gw-cli: command not found, add ~/.local/bin to your PATH:
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
The current builds are unsigned test builds. On macOS, if Gatekeeper blocks it, run xattr -dr com.apple.quarantine ~/.local/bin/gw-cli. On Windows, SmartScreen/Defender may warn on first run; install.ps1 clears the mark-of-the-web.

How it works

1

Inventory the machine

gw-cli discover --deep
Walks the machine for AI tools, agent projects, skills, MCP configs, and extensions, then risk-scores each artifact and stores the result encrypted under ~/.guardway.
2

View the results

gw-cli serve        # live dashboard → http://localhost:8789  (Ctrl-C to stop)
gw-cli report       # or a plain-text summary in the terminal
The dashboard groups skills by project, badges each by risk, and has tabs for Add-ons, Agents, MCP servers, Tools, and Runtime — plus an Accounts summary. See Local Dashboard.
3

Keep it current (recommended)

gw-cli schedule --interval daily --at 09:00
Installs a background job (launchd / systemd --user timer / Task Scheduler) that re-runs discover --deep on a cadence and exits — nothing stays resident. Open serve whenever you want to look.
4

Vet before you install

gw-cli vet github.com/owner/repo
Shallow-clones a skill/repo into a throwaway temp dir, scans every artifact, prints a verdict, and deletes the clone — the code is never executed.
5

(macOS) Capture live traffic

gw-cli mitm
Trusts a local CA and points the system HTTPS proxy at a local inspector so you can see what your AI tools actually send to model providers — with secrets redacted. Reverts on exit.
Out of the box, gw-cli scores with a built-in heuristic engine that deliberately over-flags. For production-grade scoring it auto-detects NVIDIA SkillSpector if present:
curl -LsSf https://astral.sh/uv/install.sh | sh
uv tool install --python 3.12 git+https://github.com/NVIDIA/skillspector.git
gw-cli discover --deep      # now scores with engine = SkillSpector
See Inventory & Risk Scoring for how the two engines differ and what the offline augmentation passes add on top.

Fleet reporting (optional)

By default the CLI never talks to the network. To roll endpoint inventory up into a central console for fleet visibility, enroll the machine once with an endpoint API key:
gw-cli enroll --key sk-ep-… --url <your-console-url> --verify
This writes the key + console URL to <data-dir>/config.toml (mode 0600, never logged). Afterwards you can push the current snapshot on demand or after a scan:
gw-cli discover --deep --report     # scan, then push the findings
gw-cli report --push                # push the latest stored snapshot
gw-cli enroll --remove              # stop reporting; clears the saved config
Reporting is opt-in and fail-safe: nothing is sent unless a key + URL are configured, secrets are already redacted at source, --air-gap disables reporting, and a failed push is queued to a local outbox and retried on the next run — it never breaks a scan.

Scope & privacy

The Guardway CLI is local-first. It runs on the machine and stores everything encrypted under ~/.guardway (%USERPROFILE%\.guardway on Windows). Unless you explicitly enroll it with a console API key, nothing leaves the endpoint — no inventory, no findings, no prompts. Wipe all state with rm -rf ~/.guardway.
Only one gw-cli process can use the encrypted store at a time. Don’t run discover while serve is running — use the dashboard’s Rescan button instead.

Where to next

CLI Reference

Every command and flag: discover, serve, scan, vet, report, schedule, mitm, demo.

Inventory & Risk Scoring

What it detects, the risk levels, the two scoring engines, and the offline evasion-resistant passes.

Local Dashboard

The serve dashboard: tabs, the Accounts summary, freshness, and auto-refresh.

Discovery Overview

The repository (GitHub) side of Discovery that this complements.