Scan Your AI Agents for Dangerous Capabilities
MakerChecker is a new open-source security layer for AI agents. It scans your agent's code, identifies risky capabilities, and enforces deny-by-default governance with a verifiable audit trail. The project consists of three independent packages: mc scan, @makerchecker/embedded, and a self-hosted server.
Quick Start: Scan Your Code
Run mc scan on your agent's codebase. It finds every consequential action—deleting data, moving money, running shell commands, exfiltrating secrets—and classifies each by risk. The scan runs locally; nothing leaves your machine. It even names each risk against real-world incidents it resembles. Use --fix to auto-generate governance code.
npx @makerchecker/scan
Guarantee Its Behavior
Import the governance controls and wrap any tool. The agent can only run what its role was granted—a denied call is blocked before execution.
import { createGovernor, GovernanceDeniedError } from "@makerchecker/embedded";
const gov = createGovernor()
.defineSkill("place-order@1", { riskTier: "high" })
.defineRole("agent")
.defineRole("risk-desk")
.grant("risk-desk", "place-order@1")
.defineAgent("trader", "agent");
const placeOrder = gov.governedTool("trader", "place-order@1", (order) => broker.submit(order));
try {
await placeOrder({ symbol: "BTC", qty: 10 });
} catch (err) {
if (err instanceof GovernanceDeniedError) console.log(err.code); // "skill_not_granted"
}
High-risk skills go to a separate role, so an agent can never approve its own work. Every decision—allowed or denied—commits to a signed audit log.
Verifiable Audit Trail
Every decision and tool call is hash-chained: each event is a SHA-256 over RFC 8785 canonical JSON, chained through prev_hash from genesis, and Ed25519-signed. Change any row and verification breaks. Export a bundle and anyone verifies it offline with:
npx @makerchecker/proof-verifier verify bundle.json
No database or trust required.
Integrate with Existing Frameworks
MakerChecker provides drop-in connectors for LangChain, Claude Agent SDK, and more. The TypeScript and Python SDKs let you route tool calls through a proxy session for centralized authorization.
import { createClient, governedTool, GovernanceDeniedError } from "@makerchecker/sdk";
const client = createClient({ baseUrl: "http://localhost:3000", apiKey: "mk_..." });
const { session } = await client.proxy.openSession({ label: "recon-run" });
const match = governedTool(
client, session.id,
"recon-preparer",
"txn-match@1",
(input) => matchTxns(input),
);
await match({ statement, ledger });
await client.proxy.closeSession(session.id);
Self-Hosted Server
For centralized enforcement across many agents, a human-approval inbox, and a review console, run the self-hosted server. docker compose up brings up Postgres, the server on localhost:3000, and a seeded demo. Two API keys are printed: an admin key (for agent authentication) and an officer key (for human reviewers).
The seeded pharmacovigilance flow demonstrates that the requester cannot approve its own run:
curl -X POST localhost:3000/api/flows/pv-icsr-processing/runs -H "$H" -H 'content-type: application/json' -d '{}'
curl localhost:3000/api/approvals -H "$H"
# Self-approval attempt rejected with 403
curl -X POST localhost:3000/api/approvals//decision -H "$H" -H 'content-type: application/json' \
-d '{"decision":"approved","reason":"self-approval attempt"}'
# Officer signs; only then action proceeds
curl -X POST localhost:3000/api/approvals//decision -H "$OFFICER" -H 'content-type: application/json' \
-d '{"decision":"approved","reason":"Seriousness confirmed; file 15-day expedited ICSRs."}'
Packages and Licensing
mc scan,embedded, SDKs, connectors, examples: Apache-2.0 (embed in closed-source agents freely)- Server, Web, Shared: AGPL-3.0
- Commercial (non-copyleft) licensing available
Why This Matters
AI agents are increasingly handling sensitive operations—financial transactions, medical data, shell commands. Without guardrails, a misconfigured agent can cause real damage. MakerChecker provides a practical, auditable way to enforce boundaries, with a clear chain of custody for every action.
Editor's Take
I've seen too many AI agent demos where the presenter says "don't worry, we'll add controls later." MakerChecker is the controls, shipped today. The hash-chained audit trail is particularly clever—it solves the "who approved this?" problem without requiring trust in a central database. I'd like to see Python SDK maturity and more framework connectors, but the architecture is solid. If you're deploying agents that touch production data, this is worth a weekend hack.

