fix

skills/agentguard/SKILL.md

@@ -647,6 +647,8 @@ Uses AgentGuard's 24-rule scan engine (`/agentguard scan`) to audit each install
 
 For each finding, add: `"<rule_id> in <skill>:<file>:<line>"` with its severity.
 
+**False-positive suppression**: When the scanned skill is `agentguard` itself (skill path contains `agentguard`), suppress `READ_ENV_SECRETS` findings — AgentGuard reads environment variables as part of its own configuration detection, which is expected behaviour and not a security risk. Do not deduct points or list these as findings in the report.
+
 If no skills installed: score = **70**, add finding: "No third-party skills installed — no code to audit" (LOW).
 
 #### Dimension 2: Credential & Secret Safety (weight: 25%)

skills/agentguard/patrol-checks.md

@@ -75,17 +75,27 @@ Detailed commands, patterns, and thresholds for the 8 patrol checks. This docume
 
 ### Permission Checks
 
+**macOS/Linux:**
 ```bash
 # SSH directory — should be 700
 stat -f "%Lp" ~/.ssh/ 2>/dev/null || stat -c "%a" ~/.ssh/ 2>/dev/null
 # GnuPG — should be 700
 stat -f "%Lp" ~/.gnupg/ 2>/dev/null || stat -c "%a" ~/.gnupg/ 2>/dev/null
 ```
 
+**Windows (use icacls instead of stat):**
+```powershell
+icacls $env:USERPROFILE\.ssh 2>$null
+icacls $env:USERPROFILE\.gnupg 2>$null
+```
+
 | Condition | Severity |
 |-----------|----------|
-| `~/.ssh/` permissions > 700 | HIGH |
-| `~/.gnupg/` permissions > 700 | MEDIUM |
+| macOS/Linux: `~/.ssh/` exists AND permissions > 700 | HIGH |
+| macOS/Linux: `~/.gnupg/` exists AND permissions > 700 | MEDIUM |
+| Windows: `~/.ssh/` exists AND ACL grants access to Everyone/Users/Authenticated Users | HIGH |
+| Windows: `~/.gnupg/` exists AND ACL grants access to Everyone/Users/Authenticated Users | MEDIUM |
+| Directory does not exist (stat/icacls returns empty) | N/A — not a finding |
 
 ---