{"slug": "makerchecker-puts-a-policy-gate-in-front-of-ai-agents-that-can-delete-trade-or", "title": "MakerChecker puts a policy gate in front of AI agents that can delete, trade or exfiltrate", "summary": "MakerChecker, an open-source project with no identified maintainers or funding, released a security model for AI agents that enforces policy gates before tool execution, targeting regulated workflows in finance, healthcare, and software deployment. The scanner runs locally, classifies risks, and logs decisions in a cryptographically signed audit trail, aiming to prevent unauthorized actions like data deletion or money movement.", "body_md": "[MakerChecker](https://github.com/makerchecker/MakerChecker?ref=runtimewire) is pushing a security model for AI agents that starts with a blunt premise: the dangerous part of an agent is the tool it is allowed to call, so the control point belongs before execution.\n\nThe public repo is active as of July 6, 2026 and still small by open-source adoption signals. At scrape time, MakerChecker showed 59 commits on main, 68 branches, 10 tags, 0 forks, and 3 stars. That is not evidence of adoption. It is evidence of a project being assembled in public.\n\nThe maintainers are not identified in the repo or the available project pages. There is no disclosed founder name, funding round, customer list, revenue claim or company entity. That absence matters because MakerChecker is making a trust claim in a category where trust is the product. For now, the verifiable story is the code, the docs and the control model: a new open-source attempt to make agentic systems auditable before operators wire them into finance, health care, software deployment and other workflows where a mistaken tool call can move from inconvenience to liability.\n\n### What MakerChecker actually scans\n\nThe scanner is designed to run locally with:\n\n```\nnpx @makerchecker/scan .\n```\n\nMakerChecker says the scan requires no install and that \"nothing leaves your machine.\" The scanner looks for capabilities such as deleting data, moving money, running shell commands and exfiltrating secrets. The README says it classifies findings by risk, maps them to real incidents and can write governance code with a `--fix`\n\nflag.\n\nThat framing shifts control away from the model and onto the tool path. The model can still hallucinate or be compromised, but its call to a consequential tool has to pass through an external policy layer.\n\nThe repo is not just a scanner. It includes an embedded enforcement package, SDKs, connectors for frameworks including LangChain and the Claude SDK, a self-hosted Fastify and Postgres server, a React console, a proof verifier, examples, docs, a Helm deployment path, an `injection-gauntlet`\n\ndirectory and a spec path for `agent-action-proof`\n\n. A July 3 commit message says MakerChecker added runnable reproductions for 41 incidents, which gives the project a concrete corpus around agent-tool risk rather than a generic checklist.\n\n### The control model is separation of duties\n\nMakerChecker's README puts the enforcement layer in front of each tool call and behind it as a signed ledger. The configuration model is role-based: define skills, define roles, grant skills to roles, define agents and deny ungranted calls before they execute.\n\nThe examples show permissions attached to roles rather than agents; if a role has not granted a skill, the wrapped tool call is denied. That borrows a well-known enterprise separation-of-duties pattern and applies it to AI agents. The agent can prepare the work. A separate role must approve the risky action. Every allow or deny decision is written into an audit log.\n\nThe project describes a cryptographically signed, hash-chained log for decisions and tool calls, plus a verifier so exported proofs can be checked offline. More details are on the [MakerChecker homepage](https://makerchecker.ai/?ref=runtimewire).\n\nThat approach should resonate with regulated buyers, if the implementation holds. Compliance teams already understand maker-checker controls in finance, pharma and enterprise software release processes. MakerChecker is trying to make that pattern native to AI agent runs rather than bolted on afterward.\n\n### The first markets are obvious\n\nThe examples in the repo point at regulated workflows where an agent can assemble or triage work, but a human gate blocks the final irreversible action.\n\nThe timing is also clear. AI agents are moving from demos into workflows that touch credentials, files, SaaS systems, code repositories and payment rails. If an agent cannot act, it is a chatbot. If it can act, someone has to answer who gave it that authority, what limit applied and whether the same actor prepared and approved the outcome.\n\nA May [arXiv technical report](https://arxiv.org/abs/2605.28588?ref=runtimewire) examined public agent skills and found confirmed malicious payloads and critical security issues. MakerChecker is one answer to the same market pressure: operators need to know what agent-connected code can do before it runs, and they need controls that survive a bad prompt.\n\n### A crowded category is forming fast\n\nMakerChecker is entering a security subcategory that is filling quickly. [Mondoo](https://mondoo.com/newsroom/mondoo-launches-ai-skills-security-checker?ref=runtimewire) announced AI Skills Check on April 21, 2026, describing it as a free, agent-agnostic scanner for identifying hidden risks in AI agent skills across registries before deployment. Mondoo says its checker compares what a skill claims to do against code and behavior, and supports environments including Claude Code, Cursor, Windsurf, custom Anthropic SDK agents and MCP servers.\n\n[Mitiga](https://www.mitiga.io/press-release/mitiga-labs-launches-skillgate-to-detect-risks-in-ai-agent-skills-and-configurations?ref=runtimewire) launched Skillgate on June 16, 2026, saying it scans AI-agent skills and configurations across popular tools and formats.\n\n[Guard0](https://guard0.ai/g0?ref=runtimewire) positions `g0`\n\nas an open-source scanner that maps agents, tools, prompts, MCP servers and related security domains, with CI gating and SARIF-style output. [AgentVerus](https://agentverus.ai/?ref=runtimewire) offers skill-risk scans, trust scores and cryptographic attestations. [Evoke Security](https://www.prnewswire.com/news-releases/evoke-security-raises-4m-pre-seed-round-to-secure-the-agentic-workforce-302694394.html?ref=runtimewire) announced a $4 million pre-seed round in February, led by Crosspoint Capital Partners with participation from Red Cell Partners, for visibility and control over enterprise AI agents. [Cisco](https://blogs.cisco.com/news/cisco-announces-intent-to-acquire-astrix-security?ref=runtimewire) said in May that it intended to acquire Astrix Security, tying the deal to discovery and security for AI agents and non-human identities.\n\nThe crowded field helps MakerChecker more than it hurts at this stage. The existence of scanners, skill registries, MCP gateways, non-human identity tools and agent governance startups shows buyers are beginning to budget for this problem. MakerChecker's narrower wedge is the two-key rule: scan the code, define the role, block the call, record the proof.\n\n### The hardening path will matter\n\nMakerChecker's default quickstart is built for evaluation, not a production security guarantee. [Barista Labs](https://www.baristalabs.io/blog/makerchecker-agent-separation-of-duties?ref=runtimewire) published a June 17 teardown that praised the separation-of-duties model but noted a sharp implementation concern: the quickstart runs as the Postgres owner, which can disable append-only triggers unless the hardened setup is used. That does not negate the model. It does mean security buyers should judge MakerChecker by its hardened deployment path, proof verifier and operational controls, rather than by the fastest demo path.\n\nLicensing also follows an open-source split. The repo indicates an AGPL-3.0 core with Apache-2.0 SDKs.\n\nThe unanswered question is distribution. A security layer for agents needs more than a persuasive README. It needs framework integrations that stay current, CI workflows developers will tolerate, false-positive rates low enough for engineering teams, and deployment guidance that compliance and security teams can defend under audit. MakerChecker has the right shape of product for the problem. The next proof will be whether builders of real agents treat policy-gated tool calls as a default control rather than an optional wrapper they add after the pilot succeeds.\n\nRuntimeWire has been tracking the same pattern in other open-source AI infrastructure projects, from [Okhai's Foundation stack](/article/okhai-nmxmxh-foundation-ai-software-stack) to recent solo-builder systems work around [Phargo](/article/ekin-ertac-phargo-ai-php-rust-wordpress) and [NanoEuler](/article/vincenzo-nanoeuler-cuda-gpt-2-training-stack). MakerChecker belongs to that wave, but its stakes are different. If AI agents are going to be allowed to touch money, customer data, medical workflows and production systems, the founder or maintainer who wins this layer will be selling a simple promise: the agent can do useful work without becoming the only person in the approval chain.", "url": "https://wpnews.pro/news/makerchecker-puts-a-policy-gate-in-front-of-ai-agents-that-can-delete-trade-or", "canonical_source": "https://runtimewire.com/article/makerchecker-ai-agent-dangerous-capability-scanner", "published_at": "2026-07-06 13:53:00+00:00", "updated_at": "2026-07-07 01:15:33.767619+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "ai-policy", "ai-tools", "ai-research"], "entities": ["MakerChecker", "LangChain", "Claude SDK", "Fastify", "Postgres", "React"], "alternates": {"html": "https://wpnews.pro/news/makerchecker-puts-a-policy-gate-in-front-of-ai-agents-that-can-delete-trade-or", "markdown": "https://wpnews.pro/news/makerchecker-puts-a-policy-gate-in-front-of-ai-agents-that-can-delete-trade-or.md", "text": "https://wpnews.pro/news/makerchecker-puts-a-policy-gate-in-front-of-ai-agents-that-can-delete-trade-or.txt", "jsonld": "https://wpnews.pro/news/makerchecker-puts-a-policy-gate-in-front-of-ai-agents-that-can-delete-trade-or.jsonld"}}