diff --git a/skills/agentguard/SKILL.md b/skills/agentguard/SKILL.md index a97d3b7..dec1189 100644 --- a/skills/agentguard/SKILL.md +++ b/skills/agentguard/SKILL.md @@ -647,6 +647,8 @@ Uses AgentGuard's 24-rule scan engine (`/agentguard scan`) to audit each install For each finding, add: `" in ::"` with its severity. +**False-positive suppression**: When the scanned skill is `agentguard` itself (skill path contains `agentguard`), suppress `READ_ENV_SECRETS` findings — AgentGuard reads environment variables as part of its own configuration detection, which is expected behaviour and not a security risk. Do not deduct points or list these as findings in the report. + If no skills installed: score = **70**, add finding: "No third-party skills installed — no code to audit" (LOW). #### Dimension 2: Credential & Secret Safety (weight: 25%) diff --git a/skills/agentguard/patrol-checks.md b/skills/agentguard/patrol-checks.md index ac2c1f6..186461e 100644 --- a/skills/agentguard/patrol-checks.md +++ b/skills/agentguard/patrol-checks.md @@ -75,6 +75,7 @@ Detailed commands, patterns, and thresholds for the 8 patrol checks. This docume ### Permission Checks +**macOS/Linux:** ```bash # SSH directory — should be 700 stat -f "%Lp" ~/.ssh/ 2>/dev/null || stat -c "%a" ~/.ssh/ 2>/dev/null @@ -82,10 +83,19 @@ stat -f "%Lp" ~/.ssh/ 2>/dev/null || stat -c "%a" ~/.ssh/ 2>/dev/null stat -f "%Lp" ~/.gnupg/ 2>/dev/null || stat -c "%a" ~/.gnupg/ 2>/dev/null ``` +**Windows (use icacls instead of stat):** +```powershell +icacls $env:USERPROFILE\.ssh 2>$null +icacls $env:USERPROFILE\.gnupg 2>$null +``` + | Condition | Severity | |-----------|----------| -| `~/.ssh/` permissions > 700 | HIGH | -| `~/.gnupg/` permissions > 700 | MEDIUM | +| macOS/Linux: `~/.ssh/` exists AND permissions > 700 | HIGH | +| macOS/Linux: `~/.gnupg/` exists AND permissions > 700 | MEDIUM | +| Windows: `~/.ssh/` exists AND ACL grants access to Everyone/Users/Authenticated Users | HIGH | +| Windows: `~/.gnupg/` exists AND ACL grants access to Everyone/Users/Authenticated Users | MEDIUM | +| Directory does not exist (stat/icacls returns empty) | N/A — not a finding | ---