Secure every agent action — from install to runtime.
AgentWard
Secure every agent action — from install to runtime. Open-source security platform for AI agents.
Telling an agent "don't touch the stove" is a natural-language guardrail that can be circumvented. AgentWard puts a physical lock on the stove — code-level enforcement that prompt injection can't override.
AgentWard sits between AI agents and their tools (MCP servers, HTTP gateways, function calls) to enforce least-privilege policies, inspect data flows at runtime, and generate compliance audit trails. Policies are enforced in code, outside the LLM context window — the model never sees them, can't override them, can't be tricked into ignoring them.
Why AgentWard?
AI agents now have access to your email, calendar, filesystem, shell, databases, and APIs. The tools exist to give agents these capabilities. But nothing exists to control what they do with them.
| What exists today | What it does | What it doesn't do |
|---|---|---|
| Static scanners (mcp-scan, Cisco Skill Scanner) | Scan tool definitions, report risks | No runtime enforcement. Scan and walk away. |
| Guardrails frameworks (NeMo, Guardrails AI) | Filter LLM inputs/outputs | Don't touch tool calls. An agent can still rm -rf /. |
| Prompt-based rules (SecureClaw) | Inject safety instructions into agent context | Vulnerable to prompt injection. The LLM can be tricked into ignoring them. |
| IAM / OAuth | Control who can access what | Control humans, not agents. An agent with your OAuth token has your full permissions. |
The gap: No tool-level permission enforcement that actually runs in code, outside the LLM, at the point of every tool call. Scanners find problems but don't fix them. Guardrails protect the model but not the tools. Prompt rules are suggestions, not enforcement.
AgentWard fills this gap. It's a proxy that sits between agents and tools, evaluating every tools/call against a declarative policy — in code, at runtime, where prompt injection can't reach.
Prerequisites
AgentWard scans and enforces policies on your existing AI agent tools. You need at least one of:
- Cursor with MCP servers configured
- Claude Desktop with MCP servers configured
- VS Code with MCP servers (Copilot or extensions)
- Windsurf with MCP servers configured
- OpenClaw with skills installed
No MCP servers yet? AgentWard can also scan Python tool definitions (OpenAI, LangChain, CrewAI) in any project directory.
Quick Start
pip install agentward
agentward init
That's it. agentward init scans your tools, shows a risk summary, generates a recommended policy, and wires AgentWard into your environment. Most users don't need anything else.
If you want more control, you can run each step individually:
1. Scan your tools
agentward scan
Auto-discovers MCP configs (Claude Desktop, Cursor, Windsurf, VS Code), Python tool definitions (OpenAI, LangChain, CrewAI), and OpenClaw skills. Outputs a permission map with risk ratings, skill chain analysis, security recommendations, and developer fix guidance. A markdown report (agentward-report.md) is saved automatically.
agentward scan ~/clawd/skills/bankr/ # scan a single skill
agentward scan ~/.cursor/mcp.json # scan specific MCP config
agentward scan ~/project/ # scan directory
agentward scan --format html # shareable HTML report with security score
agentward scan --format sarif # SARIF output for GitHub Security tab
2. Generate a policy
agentward configure
Generates a smart-default agentward.yaml with security-aware rules based on what scan found — skill restrictions, approval gates, and chaining rules tailored to your setup.
# agentward.yaml (
Configuration
{"mcpServers": {"agentward": {"command": "agentward", "args": ["proxy"]}}}