SIGIL

Automated security auditing for AI agent code

A protective mark for every line of code.
by NOMARK

Sigil scans repositories, packages, MCP servers, skills, and agent tooling for malicious patterns before they reach your working environment. Nothing runs until it's been scanned, scored, and explicitly approved.

The AI tooling ecosystem moves fast. Developers clone repos from tutorials, install MCP servers with 12 GitHub stars, and pull agent skills from Discord — all of which get direct access to API keys, databases, and cloud credentials. Traditional dependency scanners catch known CVEs but miss the real threat: intentionally malicious code designed to exfiltrate credentials, establish backdoors, or execute arbitrary commands via install hooks.

Sigil fills this gap with a quarantine-first approach.

Quick Install

Manual Install (Current):

# Clone the repository
git clone https://github.com/NOMARJ/sigil.git
cd sigil

# Make the CLI executable and install
chmod +x bin/sigil
sudo cp bin/sigil /usr/local/bin/sigil

# Initialize directories and aliases
sigil install

Coming Soon:

• Homebrew: brew install nomarj/sigil
• npm: npm install -g @nomark/sigil
• curl installer: curl -sSL https://sigilsec.ai/install.sh | sh
• Docker: docker pull nomark/sigil:latest

Note: The sigil package name on crates.io is occupied by an unrelated project. We will publish as @nomark/sigil when Rust CLI is ready.

→ See all installation methods

How It Works

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  You run a   │────▶│  Sigil       │────▶│  Clean?      │
│  command     │     │  quarantines │     │  Approve.    │
│              │     │  & scans     │     │  Dirty?      │
│  gclone      │     │              │     │  Reject.     │
│  safepip     │     │  6 phases.   │     │              │
│  safenpm     │     │  <3 seconds. │     │  You decide. │
└──────────────┘     └──────────────┘     └──────────────┘

Sigil runs six analysis phases on every scan (Phases 1-6 are free, Phase 9 requires Pro):

Each finding is weighted and scored. You get a clear verdict:

Usage

Core Commands

# Clone a repo into quarantine, scan it, get a verdict
sigil clone https://github.com/someone/cool-mcp-server

# Download and scan a pip package before installing
sigil pip some-agent-toolkit

# Download and scan an npm package before installing
sigil npm langchain-community-plugin

# Scan a directory or file already on disk
sigil scan ./downloaded-skill/

# 🔒 Pro: Enhanced LLM-powered scanning (requires authentication)
sigil login --token YOUR_API_TOKEN
sigil scan ./code --enhanced              # AI-powered threat detection
sigil scan ./code --enhanced --verbose    # With detailed output

# Download and scan any URL
sigil fetch https://example.com/agent-tool.tar.gz

# Manage quarantine
sigil list              # See all quarantined items
sigil approve abc123    # Move approved code out of quarantine
sigil reject abc123     # Permanently delete quarantined code

Discovery Commands

Find and research AI tools, packages, and dependencies before using them:

# Search for AI tools and packages
sigil search "natural language processing"
sigil search "web scraping"
sigil search "machine learning"

# Get curated tool recommendations for specific use cases  
sigil discover "chatbot development"
sigil discover "data analysis pipeline"
sigil discover "web scraping automation"

# Get detailed information about a specific tool
sigil info pypi/langchain
sigil info npm/puppeteer  
sigil info pypi/scrapy

# Discovery integrates with security auditing
sigil search "pdf processing" | head -3    # Find options
sigil info pypi/pypdf                      # Research a tool
sigil pip pypdf                            # Audit before installing

Discovery Features:

• Smart Search: Natural language queries find relevant tools
• Use Case Stacks: Get curated tool recommendations for specific workflows
• Trust Scoring: See security ratings and trust scores for every tool
• Installation Ready: Get exact install commands with security pre-checks
• Ecosystem Coverage: Search across pip, npm, and other package managers

Shell Aliases

After running sigil install, these aliases are available in every terminal session. Use the commands you already know — Sigil protects you automatically:

Git Hooks

# Auto-scan any repo on clone (global git hook)
sigil install --git-hooks

IDE & Agent Integrations

Sigil works where you work. Install the plugin for your editor, or connect AI agents via MCP:

Claude Code Plugin (Recommended)

Install as a native Claude Code plugin for skills, agents, and auto-recommendations:

# Add Sigil marketplace
claude plugin marketplace add https://github.com/NOMARJ/sigil.git

# Install the plugin
claude plugin install sigil-security@sigil

This provides:

• /sigil-security:scan-repo - Scan repositories
• /sigil-security:scan-package - Audit npm/pip packages
• /sigil-security:scan-file - Analyze specific files
• /sigil-security:quarantine-review - Manage findings
• @security-auditor - Expert threat analysis agent
• @quarantine-manager - Quarantine workflow agent

→ See Claude Code plugin documentation

Claude Code MCP Server

Alternatively, use the MCP server for tool-based integration:

{
  "mcpServers": {
    "sigil": {
      "command": "node",
      "args": ["/path/to/sigil/plugins/mcp-server/dist/index.js"]
    }
  }
}

Build the MCP server first:

cd plugins/mcp-server && npm install && npm run build

npx @nomark/sigil-mcp-server will be available once the package is published to npm.

Threat Intelligence

When authenticated (sigil login), Sigil connects to a community-powered threat intelligence database. Every scan from every user contributes anonymised pattern data. When someone flags a malicious package, the threat signature propagates to all users within minutes.

No source code is ever transmitted — only pattern match metadata (which rules triggered, file types, risk scores).

Offline mode: All six scan phases run locally without authentication. Threat intelligence lookups are skipped, but you still get full local analysis.

# Authenticate to enable threat intel
sigil login

Learn more about authentication →

Why Not [Existing Tool]?

The Complete Stack:

• Sigil (Layer 1): Quarantine-first before code enters your environment (supply-chain protection)
• Aardvark/Codex Security (Layer 2): Deep AI analysis after code is committed (GPT-5 powered)
• Claude Code Security (Layer 2): Deep AI analysis after code is committed (Claude powered)

Positioning:

• Aardvark and Claude Code Security compete (both do deep vulnerability scanning)
• Sigil complements both (different layer: pre-install vs post-commit)
• Use Sigil + (Aardvark OR Claude Code Security) for complete coverage

→ See complete integration guide

Snyk and Dependabot flag known CVEs — they don't scan for intentional malice. Socket.dev is npm-only. Semgrep is a pattern engine, not a workflow. The AI security stack (Sigil + Aardvark/Claude Code Security) provides defense-in-depth.

Pricing

The CLI is free and open source with all eight scan phases. Sigil Pro turns your scanner into an AI security consultant.

Why upgrade? Transform cryptic security alerts into actionable intelligence. Instead of wondering "Is this real?", get AI-powered explanations, threat assessments, and verification in seconds.

See full pricing →

Documentation

Comprehensive documentation is available in the docs/ directory:

Getting Started:

• Getting Started Guide — Installation and first scan
• CLI Reference — All commands and options
• Discovery Commands — Find and research tools before use ⭐ NEW
• Authentication Guide — Connect to Sigil Pro
• Configuration — Environment variables and settings

Technical Deep Dives:

• Architecture Overview — System design
• Detection Patterns — What Sigil scans for
• Threat Intelligence 2025 — Current threat landscape
• API Reference — REST API endpoints

Integration Guides:

• CI/CD Integration — GitHub Actions, GitLab CI, etc.
• IDE Plugins — VS Code, JetBrains setup
• MCP Server — Use Sigil as an MCP tool for AI agents
• Forge to CLI Migration — Migrate from Forge web UI to CLI discovery ⭐ NEW
• AI Security Stack — Sigil + Aardvark + Claude Code Security
• Claude Code Security Integration — Defense-in-depth with Anthropic
• AI Agent Integration — Claude Code, MCP, and other AI agents

Security Research:

• Case Study: OpenClaw Attack — Real-world supply chain attack
• Prompt Injection Patterns — Detection techniques
• Malicious Signatures — Threat signature database

Browse all documentation →

Roadmap

See ROADMAP.md for the full roadmap.

Today: Quarantine-first scanning for pip, npm, and git repos. Six-phase behavioral detection. Cloud threat intelligence with community reporting and signature sync. Dashboard with scan history, team management, and policy controls. Rust CLI binary, VS Code / Cursor / Windsurf extension (.vsix), JetBrains plugin, MCP server for AI agents, and GitHub Actions integration.

Now: Hosted cloud — sign up and scan without running infrastructure.

Next: Homebrew tap and npm package. Docker image and Go/Cargo scanning. VS Code Marketplace and JetBrains Marketplace listings. Custom scan rules via YAML. Enterprise SSO, RBAC, and audit logs. GitLab, Jenkins, and CircleCI integrations.

Contributing

We welcome contributions. See CONTRIBUTING.md for guidelines.

Security

Found a vulnerability? Please report it responsibly. See SECURITY.md.

License

Apache 2.0 — see LICENSE for details.

SIGIL by NOMARK
A protective mark for every line of code.