v2.0.0 — Background Check for AI Agents

v2.0.0 — Background Check for AI Agents

You wouldn't hire someone without a background check. Why would you deploy an AI agent without one?

g0 v2.0 establishes g0 as the open-source standard for AI agent due diligence. Discover every component, assess 1,180+ risk patterns across 12 domains, and adversarially test behavior with 1,200+ payloads — all from one CLI, fully offline.

npx @guard0/g0 scan ./my-agent

---

🔍 Background Check for AI Agents

g0 now runs a complete background check on every AI agent before it ships — discovery, assessment, adversarial testing, and continuous monitoring.

• 1,180+ security rules across 12 domains
• 1,200+ adversarial test payloads across 10 attack categories
• 10 standards mappings — OWASP Agentic Top 10, NIST AI RMF, ISO 42001, ISO 23894, OWASP AIVSS, OWASP LLM Top 10, EU AI Act, MITRE ATLAS, AIUC-1
• 11 framework parsers — LangChain, CrewAI, MCP, OpenAI, Vercel AI, Bedrock, AutoGen, LangChain4J, Spring AI, Golang AI, OpenClaw
• 5-language support — Python, TypeScript, JavaScript, Java, Go
• Letter grade scoring (A–F) with domain-by-domain breakdown
• Inline remediation — every finding includes a Fix line and Standards mapping
• Security vs Hardening split scores for nuanced assessment

---

🛡️ First-Class OpenClaw Security

g0 is the most comprehensive security tool for OpenClaw deployments, covering the full stack from skill files to host hardening:

Scanning & Assessment

• OpenClaw Scanner — deep analysis of SKILL.md, SOUL.md, MEMORY.md, and openclaw.json configurations
• 9 dedicated YAML rules (AA-SC-121..125, AA-DL-133..137) for supply-chain and data-leakage patterns specific to OpenClaw
• Skill Hardening — description-behavior alignment checks, overprivileged description detection, manifest validation

Infrastructure Hardening

• 18 Gateway Probes (OC-H-001..018) — auth mode, TLS configuration, CORS policy, rate limiting, control UI exposure, trusted proxies
• 27 Deployment Probes (OC-H-019..037, OC-H-056..063) — host-level security, container deep audit, session forensics
• OpenClaw Config Hardener — validated against real ClawKeeper/SecureClaw config path specifications
• Host Hardening — 8 macOS probes + 5 Linux probes + 8 Docker container probes

Continuous Monitoring

• OpenClaw Daemon — real-time monitoring for malicious skills and MCP config drift
• Cognitive Drift Detection — SHA-256 baseline monitoring for SOUL.md, MEMORY.md, IDENTITY.md, and AGENTS.md
• CVE Awareness — integrated ClawSec advisory feed (55+ CVEs including CVE-2026-28363)
• IOC Database — 55+ indicators checked against tool URLs, endpoints, and agent names

g0 OpenClaw Plugin

• 5-layer defense using the real OpenClaw plugin API
• Hooks into before_agent_start, before_tool_call, tool_result_persist, and message_received events
• Tool registration and service integration via registerTool() and registerService()

---

🧪 Adversarial Testing Engine

The g0 test command delivers production-grade red teaming for AI agents and MCP servers:

• 10 payload categories: prompt injection, data exfiltration, tool abuse, jailbreak, goal hijacking, content safety, bias detection, PII probing, agentic attacks, advanced jailbreak
• 4 advanced categories: cross-tool-chain exploitation, taint-exploit chains, description-mismatch attacks, tool-output-injection
• 3-level progressive judge: deterministic → heuristic → LLM-as-judge
• HTTP POST and MCP stdio providers for flexible target connectivity
• 10 attack chain patterns in the correlation engine for detecting multi-step attack sequences
• 25 AttackCategory types for comprehensive adversarial coverage

g0 test --target http://localhost:3000/api/chat
g0 test --target ./mcp-server --provider mcp

---

📊 Enhanced Scanning Architecture

• Scan Presets — strict, balanced, and permissive modes with --preset CLI flag
• Analyzability Classification — files classified as analyzable, inert, or opaque with weighted scoring
• Pipeline Taint Analysis — shell pipe chain detection tracing source → obfuscation → sink flows
• Cross-File Tracing — 7 dangerous tool combo patterns detected, cross-file exfiltration tracing via moduleGraph
• AI Meta-Analyzer — holistic false-positive review with authority hierarchy and consensus mode (majority vote)
• SARIF 2.1.0 — codeFlows for taint paths, relatedLocations for cross-file findings, analyzability metadata
• Gate Thresholds — --min-score, --min-grade, --no-critical, --no-high for CI/CD enforcement

---

🌐 12 Security Domains

#	Domain	What it catches
1	Goal Integrity	Prompt injection, goal hijacking, instruction override
2	Tool Safety	Unsafe tool configs, missing sandboxing, excessive capabilities
3	Identity & Access	Missing auth, privilege escalation, session management
4	Supply Chain	Dependency risks, unverified skills, malicious packages
5	Code Execution	Arbitrary code exec, unsafe eval, sandbox escapes
6	Memory & Context	Context poisoning, memory manipulation, state corruption
7	Data Leakage	PII exposure, credential leaks, exfiltration channels
8	Cascading Failures	Error propagation, retry storms, resource exhaustion
9	Human Oversight	Missing approval flows, insufficient logging, autonomy bounds
10	Inter-Agent	Delegation risks, trust boundaries, message tampering
11	Reliability Bounds	Hallucination risk, confidence calibration, fallback handling
12	Rogue Agent	Behavioral drift, goal misalignment, deceptive patterns

---

🖥️ Daemon & Continuous Monitoring

• OpenClaw-focused daemon — real-time monitoring for malicious skills and MCP config drift
• Kill Switch — automatic activation on detected attack patterns
• Cost Monitor — per-model token pricing with circuit breaker protection
• Behavioral Baseline — 24h learning window with stddev anomaly detection and tool burst detection
• Correlation Engine — 6 cross-source rules for attack chain detection
• Fleet Management — multi-machine registration, aggregate scoring, cross-machine correlation
• Agent Watchers — detect Claude Code, Cursor, MCP servers, and 40+ AI tools

---

🏢 Endpoint & Host Security

• Host Hardening — 8 macOS + 5 Linux + 8 Docker container probes
• MDM Detection — Jamf, Intune, Mosyle, Kandji, Workspace ONE, Landscape, Puppet, Chef
• Session Forensics — 35 detection patterns across 9 finding types
• Egress/Auditd/Falco/Tetragon rule generators for runtime enforcement
• Cross-platform AI tool detection — Windows, Linux, macOS with 40+ tool signatures

---

📋 Governance & Compliance

• Policy Engine — .g0-policy.yaml for scan, runtime, and host policy enforcement
• Evidence Collector — integrity-hashed evidence records and per-standard compliance reports
• CI Gate — g0 scan --ci with exit codes (0=pass, 1=fail, 2=warning) and GitHub Actions annotations
• Risk Acceptance — suppress known findings with documented justification via .g0-risk-accept.yaml

---

🔧 Offline-First Architecture

g0 v2.0 is fully offline-first. Every scan, test, and assessment runs locally without network access. No data leaves your machine. No accounts required. No telemetry.

---

📦 Install & Run

# Install globally
npm install -g @guard0/g0

# Or run directly
npx @guard0/g0 scan ./my-agent

# All 8 commands
g0 scan ./my-agent                    # Background check
g0 inventory .                        # AI Bill of Materials
g0 flows .                            # Data flow mapping
g0 mcp scan ./my-mcp-server           # MCP server scan
g0 test --target http://localhost:3000 # Adversarial testing
g0 endpoint                           # Host security audit
g0 daemon start                       # Continuous monitoring
g0 detect                             # MDM + agent + host check

---

Full changelog: https://github.com/guard0-ai/g0/blob/main/CHANGELOG.md
Documentation: https://github.com/guard0-ai/g0/tree/main/docs

v1.7.2

Fixes

• Sidecar docs corrected (#108) — Deployment guide referenced non-existent /workspace/.openclaw/tool-calls.jsonl. Updated to reference real session JSONL files at /data/.openclaw/agents/{id}/sessions/ with a note that OpenClaw has no dedicated tool call log.

• Injection events include matched text (#110) — injection.detected webhook events now include matchedSnippets with the actual text that triggered the pattern (~80 chars of surrounding context, capped at 200 chars). PII is automatically redacted from snippets before webhook delivery.

• OC-H-031 probe expanded — Now detects session JSONL transcripts in agents/{id}/sessions/ as valid tool call logging, in addition to existing log file patterns.

• OpenClaw plugin version aligned — Resolved version mismatch across package.json (was 1.1.0), index.ts (was 1.0.0), and openclaw.plugin.json (1.0.2). All now consistent at 1.0.2.

v1.7.1 — OpenClaw customer issue fixes

Fixes

• Egress alert spam: Fast egress loop now routes violations through NotificationManager for batching/rate-limiting instead of firing individual webhook alerts per violation (#107)
• Injection false positives: detectInjection() is now source-aware — tool results (articles, docs, logs) get downgraded severity + confidence scoring. New trustedToolOutputs config for per-tool suppression (#107)
• Policy injection conflicts: injectPolicy defaults to false. Security policy rewritten as SOUL.md-compatible identity directives instead of authoritative injected commands that triggered model resistance (#107)
• Sandbox visibility: subagent.spawned events now include sandboxMonitored: false to flag unmonitored sandboxes (#107)

Documentation

• New Sandbox Monitoring Limitations section with architecture diagram and two remediation paths (sidecar, Falco/Tetragon)
• New Policy Injection section explaining SOUL.md integration approach
• Updated injection detection docs with source-aware severity and trustedToolOutputs
• 4 new troubleshooting entries for all customer-reported issues

Plugin

@guard0/g0-openclaw-plugin v1.1.0:

• Source-aware injection detection (user_input / tool_result / agent_output)
• Confidence scoring (text length, pattern density)
• trustedToolOutputs config option
• sandboxMonitored: false in subagent events

Full Changelog: v1.7.0...v1.7.1

v1.7.0

What's New

Cross-Platform AI Tool Detection

• Windows support: tasklist process detection, 7 host hardening probes (Firewall, BitLocker, Defender, RDP, auto-login, ports, updates), PowerShell egress monitoring, MDM detection via dsregcmd
• Linux fixes: Claude Code detected via .claude/ and @anthropic-ai/claude-code paths, Cursor ~/.config/Cursor/, MCP config via well-known-paths (18 clients)
• 40+ AI tool signatures: ChatGPT desktop, Gemini Desktop, Superhuman, Grammarly, Perplexity, Warp, Tabnine, GPT4All, Msty, Otter.ai, Fireflies.ai, Krisp, Granola, Microsoft Copilot, Pieces, Raycast
• AI plugin helper detection: Detects AI subprocesses in Slack, Zoom, Notion, Figma, M365 — flags active AI usage, not the host app
• 45+ browser AI services: Microsoft Copilot, Bing Chat, Midjourney, DALL-E, ElevenLabs, Runway, Suno, Character.AI, Jasper, Kagi, Databricks AI, Snowflake Cortex
• 3 new browsers: Chromium, Vivaldi, Opera (all platforms)

Notification Manager

• Configurable suppressEventTypes to filter notification noise (#104)
• Plugin event detail rendering in Slack digests (#103)

Bug Fixes

• Fix ss bind address parsing for IPv6 and specific IPs (OC-H-052)
• Fix IPv6 CIDR matching in egress monitor
• Fix OpenClaw plugin manifest paths and version
• Skip OpenClaw plugin publish when version unchanged

v1.6.0

What's Changed

Plugin Security Event Notifications

• New NotificationManager with 3 user-selectable modes for plugin security events:
  • off (default) — no notifications, preserves existing behavior
  • interval — periodic digest every N minutes (default 5) with events grouped by category, sorted by severity
  • realtime — per-event alerts with rate limiting per category (default 60s cooldown), suppressed count in next alert
• Slack Block Kit digest format with severity-colored sections, agent names, event samples, correlated threats
• Discord embed, PagerDuty, and generic JSON digest formatters
• 6 event categories: injection, tool-blocked, pii, message-blocked, subagent-blocked, correlation
• Safety-net flush on each tick + graceful flush on SIGTERM/SIGINT shutdown
• Exported postWithRetry from alerter for reuse

Documentation

• New "Plugin Security Event Notifications" section in endpoint monitoring guide
• New "Plugin Security Notifications" subsection in enforcement integrations guide
• Full notification section in OpenClaw deployment guide with mode comparison, config examples, sample digest, event categories, and settings reference

Configuration

"alerting": {
  "webhookUrl": "https://hooks.slack.com/services/...",
  "format": "slack",
  "notifications": {
    "mode": "interval",       // or "realtime" or "off"
    "intervalMinutes": 5,     // interval mode
    "rateLimitSeconds": 60    // realtime mode
  }
}

Full Changelog: v1.5.1...v1.6.0

v1.5.1

What's Changed

Alerting & Notifications

• Production-quality Slack Block Kit formatter with severity-colored emoji, detail in blockquote, host/time/counts fields
• Discord and PagerDuty formatters now include detail field
• PagerDuty: routingKey config support, explicit resolve on secure status
• Webhook retry with linear backoff (1 initial + 2 retries on 5xx/network failure)
• Wired alerts for all daemon subsystems: kill switch, behavioral anomalies, cost breaker, host hardening

Daemon Reliability

• Fixed resolveRunnerPath() for bundled CLI installations
• Improved startup error messages with searched paths

Build & Release

• Release workflow now publishes @guard0/openclaw-plugin alongside main package
• Evidence collector reads version dynamically from package.json

Full Changelog: v1.5.0...v1.5.1

v1.5.0

What's Changed

Fixed

• Daemon Silent Death - forkDaemon() now redirects child stdout/stderr to daemon-startup.log and uses IPC handshake to detect early exit. Previously the child was forked with stdio: 'ignore', so crashes during module loading or config parsing produced zero output
• Runner Path Resolution - resolveRunnerPath() throws with searched paths instead of silently returning a non-existent path
• Signal Handler Timing - SIGTERM/SIGINT handlers moved to execute immediately after logger initialization
• Startup FD Leak - startupLogFd is now closed if writePid() throws during daemon startup

Added

• Secrets in Process Args (OC-H-064) - New critical audit check detects secrets (API keys, passwords, tokens) passed via Docker -e flags, which are visible to all users on the host via ps aux
• Global Crash Handlers - uncaughtException and unhandledRejection handlers installed before main() in the daemon runner

Full Changelog: v1.4.0...v1.5.0

v1.4.0

What's New in v1.4.0

Intelligence Pipeline

• IOC database (55+ indicators) and CVE feed integrated into every scan
• Tool URLs, endpoints, and agent names checked against known malicious domains, C2 IPs, and hashes
• Framework versions checked against known CVEs automatically
• Opt-out via config.analyzers.intelligence

Standards Overhaul

• Replaced A2AS with OWASP Agentic AI Top 10 (AAT-1 through AAT-10), backed by 600+ contributors from Cisco, Google, Meta, Amazon, and Palo Alto Networks
• Created definition files for EU AI Act (21 controls), MITRE ATLAS (10 tactics), OWASP LLM Top 10 (LLM01-LLM10)
• All 10 standards now have complete control definitions

Security Hardening

• Event receiver: 30s request timeout, backpressure handling, CORS restricted to localhost
• Prototype pollution guard on recursive object assignment
• IOC domain matching uses URL.hostname + proper suffix check
• All CodeQL alerts resolved

Daemon Services

• BehavioralBaseline, CorrelationEngine, and CostMonitor wired into daemon tick loop
• Anomaly detection and cost circuit breaker active in background monitoring

CLI & Features

• g0 detect — MDM enrollment, running AI agents, and host hardening in one view
• --rules-dir — load custom YAML rules from a directory
• --follow — real-time log tailing for daemon logs
• Contextual error message hints for clone, path, and config errors

Testing & Quality

• 52 new tests (enforcement, alerter, process-detector, openclaw-drift)
• 1,504 tests across 100 test files
• Zero as any casts, zero TypeScript errors
• Verified rule count: 1,180 (485 TS + 695 YAML)

Docs

• Expanded API docs with runTests, reporters, config reference, YAML rule authoring
• Installation troubleshooting guide
• Code of Conduct added

---

Full Changelog: https://github.com/guard0-ai/g0/blob/main/CHANGELOG.md

v1.3.0

What's New

Enhanced Scanning Architecture

• Scan policy presets — --preset strict|balanced|permissive with severity overrides, thresholds, and domain weights
• Analyzability scoring — fail-closed approach that flags opaque/unparseable files as risk
• Pipeline taint tracking — detects multi-step shell exfil chains (cat /etc/passwd | base64 | curl)
• Cross-tool correlation — identifies 7 dangerous capability combinations across agent-bound tools
• Cross-file exfiltration — traces sensitive reads → import chain → network writes
• AI meta-analyzer with authority hierarchy and consensus-mode FP detection (--ai-consensus N)

MCP Scanning Improvements

• Multi-language source scanning — TS/JS/Go tool extraction (was Python-only)
• Description-behavior alignment — catches tools claiming "read-only" with shell/network capabilities
• Manifest consistency — detects undeclared/phantom tools between source and config

Scan-Driven Dynamic Testing

• 4 new attack categories: cross-tool-chain, taint-exploit, description-mismatch, tool-output-injection
• 3 new judge heuristics for dynamic testing
• Auto-mode leverages static scan findings for smarter, targeted payloads

Infrastructure

• npm trusted publishers with OIDC provenance (no more NPM_TOKEN)
• CI skips runs on docs/assets/workflow-only changes
• 4 new YAML rules (AA-TS-181..184)
• 1,110 tests passing across 70 test files

Full Changelog: v1.2.0...v1.3.0

v1.2.0

What's New

Endpoint v2 — Multi-Layer Security Scanning (#41)

g0 endpoint is now a full endpoint security assessment with a 7-layer scan pipeline:

Layer	Name	Default	Description
1	Config Discovery	✅	Finds AI tool configs across 18 tools
2	Process Detection	✅	Checks which AI tools are running
3	MCP Security	✅	Scans MCP server configurations
4	Network Discovery	✅	Enumerates ports, fingerprints AI services, detects shadow services
5	Artifact Scanning	✅	Finds plaintext API keys, credential files, unencrypted data stores
6	Forensics	Opt-in	Scans conversation stores for metadata (--forensics)
7	Browser History	Opt-in	Scans browser history for AI service usage (--browser)

New capabilities:

• 0–100 endpoint score with letter grade (A–F) across 4 categories: Configuration, Credentials, Network, Discovery
• Cross-reference analysis — detects shadow services, orphaned configs, config-vs-reality mismatches
• Drift detection — compares scans to detect new shadow services, credential exposures, score drops
• Auto-remediation — --fix fixes permissions, suggests .gitignore entries, flags keys for rotation, recommends localhost binding and auth enablement

g0 endpoint                        # Full scan
g0 endpoint --forensics --browser  # Include opt-in layers
g0 endpoint --fix                  # Auto-fix and remediation

OpenClaw Hardening v2 — Fingerprint-First Architecture (#67)

Live instance hardening expanded from 12 to 18 probes with a fingerprint-first architecture:

• Zero false positives — upfront fingerprint phase (version headers, server headers, /__openclaw__/ path, HTML branding) gates all checks. Unknown targets get all checks skipped.
• AI verification — --ai upgrades unknown fingerprints and discovers novel security issues
• 6 new probes: WebSocket auth (OC-H-012), weak webhook token brute-force (OC-H-013), CSP WebSocket restrictions (OC-H-014), SPA catch-all masking (OC-H-015), canvas endpoint exposure (OC-H-016), favicon fingerprinting (OC-H-017), config file permissions (OC-H-018)
• Tighter scanner patterns: FP reduction on SSN/credit card/credential/base64 detection
• Auditor improvements: registry response validation, future date protection, 5-minute cache, expanded IOC patterns

Documentation (#68)

• Comprehensive rewrite of endpoint monitoring docs covering all v2 features
• OpenClaw hardening docs updated for 18-probe fingerprint-first architecture
• README updated with accurate probe counts, instance counts, and endpoint v2 features

Install / Upgrade

npm install -g @guard0/g0@1.2.0

Full Changelog: v1.1.2...v1.2.0