Open-source antivirus for AI agents: block risky tools, secret access, prompt injection, malicious packages, MCP servers, plugins, and skills at runtime.
# Add to your Claude Code skills
git clone https://github.com/hashgraph-online/hol-guardLast scanned: 7/15/2026
{
"issues": [
{
"file": "tests/fixtures/hermes-plugin-evil/skills/security/malicious/SKILL.md",
"line": 11,
"type": "secret-exfiltration",
"message": "Instruction appears to send credentials/secrets to an external endpoint",
"severity": "medium"
},
{
"file": "tests/fixtures/hermes-plugin-evil/skills/security/malicious/SKILL.md",
"line": 15,
"type": "secret-exfiltration",
"message": "Pipes a secret file directly to the network: \"cat ~/.ssh/id_rsa | curl\"",
"severity": "medium"
},
{
"file": "tests/fixtures/malicious-skill-plugin/skills/leaky-skill/SKILL.md",
"line": 10,
"type": "secret-exfiltration",
"message": "Instruction appears to send credentials/secrets to an external endpoint",
"severity": "medium"
},
{
"file": "tests/fixtures/malicious-skill-plugin/skills/leaky-skill/SKILL.md",
"line": 14,
"type": "secret-exfiltration",
"message": "Pipes a secret file directly to the network: \"cat .env | curl\"",
"severity": "medium"
}
],
"status": "PASSED",
"scannedAt": "2026-07-15T06:13:03.295Z",
"npmAuditRan": true,
"pipAuditRan": false,
"promptInjectionRan": true
}hol-guard is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by hashgraph-online. Open-source antivirus for AI agents: block risky tools, secret access, prompt injection, malicious packages, MCP servers, plugins, and skills at runtime. It has 396 GitHub stars.
Yes. hol-guard passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/hashgraph-online/hol-guard" and add it to your Claude Code skills directory (see the Installation section above).
hol-guard is primarily written in Python. It is open-source under hashgraph-online on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh hol-guard against similar tools.
No comments yet. Be the first to share your thoughts!
![]() |
Stop risky AI actions before they compromise your machine. HOL Guard is a local-first security layer for AI agents, tools, plugins, skills, MCP servers, and package installs.Install HOL GuardRead the documentationPyPI Package (hol-guard)Report an Issue |
|---|
HOL Guard brings antivirus-style runtime protection to AI agents. It evaluates supported agent actions and local artifacts for secret exposure, prompt injection, unsafe commands, malicious packages, and MCP risks. Guard can allow safe work, block known threats, pause ambiguous actions for approval, and record security receipts for later review.
Use HOL Guard locally without a cloud account. Connect Guard Cloud when you want synchronized evidence, team policies, fleet visibility, and shared approval workflows.
pipx install hol-guard
hol-guard init
hol-guard init discovers compatible AI agents, explains each setup change before applying it, and guides you through your first protected action.
Install guide · Supported agents · Local vs. cloud · Security policy
| Threat surface | Guard protection |
|---|---|
| Agent tool calls | Evaluates supported shell, file, MCP, prompt, and tool-result events through native hooks, managed proxies, or reversible launch overlays. |
| Secrets and credentials | Detects sensitive file access, credential-shaped output, staged exfiltration, and suspicious outbound commands. |
| AI supply chain | Reviews package installs, plugins, skills, MCP servers, hooks, and agent configuration before trust is granted. |
| Prompt injection | For adapters that expose prompt events, screens prompt and tool intent for instructions that attempt to expose secrets, evade controls, or trigger destructive behavior. |
| Human approval | Routes ambiguous actions to native prompts, the local approval center, or Guard Cloud according to the active policy. |
| Security evidence | Records attributable receipts and inventory changes so decisions can be reviewed, explained, and synchronized. |
Guard prefers the strongest integration each agent exposes. Enforcement depth varies by agent and event type; see the support matrix for the exact current contract.
HOL Guard currently integrates with Codex, Claude Code, GitHub Copilot CLI, Cursor, Gemini CLI, Hermes, OpenClaw, OpenCode, Antigravity, Kimi Code, Grok, Pi / oh-my-pi, and ZCode.
These developer agents are Guard's deepest integrations today, but the product boundary is broader: the same policy, supply-chain, approval, and evidence layers are designed to protect AI agents and their local tool ecosystems as new adapters are added.
Most security tools see only one part of an AI agent's attack surface. Code scanners run after files change. Sandboxes constrain a process but do not understand agent intent. MCP gateways see MCP traffic but not local shell commands, package installs, skills, hooks, or agent configuration.
HOL Guard combines those signals at the local runtime boundary. It discovers the agent and its tools, evaluates supported actions against one policy, requests human approval only when needed, and records the resulting decision. The goal is practical protection without turning ordinary AI-assisted work into a stream of prompts.
| If you want to... | Install | Start with |
|---|---|---|
| protect AI agents and their local runtime | hol-guard |
hol-guard init |
| lint and verify plugins, skills, MCP servers, and marketplace packages in CI | plugin-scanner |
plugin-scanner verify . |
hol-guard is the end-user antivirus and runtime protection product. plugin-scanner is the maintainer and CI companion for analyzing agent ecosystem packages before release.
To update an existing pipx install from PyPI:
pipx upgrade hol-guard
If you installed Guard with pipx, verify the active user command before testing local flows:
command -v hol-guard
hol-guard --version
For a local wheel build, install into the pipx-managed hol-guard environment. Do not test with PYTHONPATH=src; that bypasses the same package path users run.
python3 -m build --wheel
hol-guard update --wheel dist
hol-guard --version
hol-guard update --wheel accepts either a specific .whl file or a directory and picks the newest matching hol_guard-*.whl.
To force a specific release, use Python package specifier syntax:
pipx install --force 'hol-guard==2.0.345'
Do not use hol-guard@<version>; pipx treats that as a separate app name, not a package version.
hol-guard init is the first-run guided setup. It shows a progressive plan first, then gates each side effect: approve dashboard, Guard completes it, then approve app protection, Guard completes it, then approve Cloud connect and notifications. Nothing opens or changes until you approve that checkpoint. Use hol-guard init --yes only for automation when you already trust the plan.
Manual and follow-up commands:
pipx run hol-guard bootstrap
pipx run hol-guard hermes bootstrap
pipx run hol-guard run codex --dry-run
pipx run hol-guard run codex
pipx run hol-guard approvals
pipx run hol-guard receipts
pipx run hol-guard status
pipx run hol-guard connect
pipx run hol-guard connect status
pipx run hol-guard connect repair
pipx run hol-guard sync
pipx run hol-guard supply-chain sync
pipx run hol-guard supply-chain scan
pipx run hol-guard supply-chain explain minimist@1.2.5 --ecosystem npm
pipx run hol-guard explain install-connect
What you get from Guard:
See docs/guard/get-started.md for the full local flow.
hol-guard start
Shows the next step for the harnesses Guard found.hol-guard init
Runs first-run onboarding as approval checkpoints: local dashboard, harness discovery and install, optional Guard Cloud connect, and desktop notification setup.hol-guard bootstrap
Detects the best local harness, starts the approval center, and installs Guard in front of it.hol-guard hermes bootstrap
Installs the Guard-managed Hermes overlay bundle directly.hol-guard status
Shows what Guard is watching now.hol-guard install <harness>
Creates the launcher shim for that harness.hol-guard uninstall --self
Removes Guard-managed harness wiring, package shims, local Guard state, and uninstalls the current hol-guard package.hol-guard update
Updates the installed hol-guard package in the current environment.hol-guard run <harness> --dry-run
Records the current state once before you trust it.hol-guard run <harness>
Reviews changes before launch and hands blocked sessions to the approval center when needed.hol-guard approvals
Lists pending approvals or resolves them from the termina