Agentlas security model
Two different security questions come up: is the agent I'm about to publish safe to share, and is the agent someone else built safe for me to run. Agentlas has a separate, deterministic check for each.
Publish scan: is this agent safe to share?
Every publish runs a deterministic scanner across the agent's files — not an LLM judgment call. Nine risk categories: hardcoded secrets (AWS keys, GitHub PATs, OpenAI/Stripe/Slack tokens), curl|bash remote execution, obfuscated payloads, destructive shell commands, credential exfiltration patterns, overly broad permissions, prompt-injection vectors, committed .env files, and unsigned network tools.
Audit: is this agent safe to run?
The reverse direction matters just as much: importing a public GitHub repo or someone else's ZIP. The Audit tool background-checks third-party agents the same way — scanning for secrets, unsafe code, risky permissions, prompt-injection vectors, and memory-poisoning patterns before you trust the package on your machine. Source code is scanned and discarded; only the manifest is kept.
Loop guards, not just secret scanning
Every published agent also ships with a 'Loop guards' section written directly into its markdown: no self-invocation, a 3-retry cap on identical tool calls, a 25-tool-call-per-turn cap, a 5xx circuit breaker, and a 30-second webhook timeout with no auto-retry on an empty 2xx body. These are instructions the host runtime (Claude Code, Codex, Gemini CLI, Cursor) follows — a design and instruction-level protection, not a hard sandbox lock, since Agentlas does not host the runtime itself.
The Agent OS underneath Agentlas — Hephaestus — is Apache-2.0 licensed and public on GitHub. Its Stormbreaker subsystem (scope locks, verifier-first plans, bounded evidence loops, final proof) and A2A Boundary (inter-agent isolation with caller-gated invocation) are inspectable code, not a black-box claim.