MakerChecker: Open-Source Security Gateway and Static Scanner for AI Agents

MakerChecker: Open-Source Security Gateway and Static Scanner for AI Agents

MakerChecker is an open-source security framework designed to prevent AI agents from executing unauthorized or dangerous actions. It implements a "deny-by-default" security posture, ensuring that agents can only execute tools and skills they have been explicitly granted, while providing a tamper-evident audit trail for every decision.

Static Risk Scanning with mc scan

MakerChecker includes a static analysis tool, mc scan, which identifies potentially dangerous capabilities within an agent's codebase. The scanner flags consequential actions—such as deleting data, transferring funds, running shell commands, or exfiltrating secrets—and classifies them by risk tier.

Key features of the scanner include:

  • Local Execution: The scan runs entirely on the local machine; no data leaves the environment.
  • Automated Governance: The tool can automatically generate governance code to mitigate identified risks using the --fix flag.
  • Multi-Language Support: It supports code written in Python, JavaScript, and TypeScript.

Runtime Enforcement and Governance

MakerChecker provides an embedded library (@makerchecker/embedded) and a centralized server to enforce role-based access control (RBAC) at the moment a tool is called. This prevents an agent from exceeding its granted limits or approving its own work.

Role-Based Access Control (RBAC)

The system defines "skills" (specific actions) and "roles" (sets of permissions). An agent is assigned a role, and the tool is wrapped in a governance layer that checks if the agent's role possesses the required skill. If the skill is not granted, the system throws a GovernanceDeniedError before the tool executes.

Human-in-the-Loop (HITL) Approvals

For high-risk skills, MakerChecker enforces a segregation of duties. The agent can request a high-risk action, but the action remains gated until a separate human "officer" role signs off on the request. The system structurally prevents the requester from acting as their own approver.

Verifiable Audit Trails

To meet regulatory and auditing requirements, MakerChecker generates a cryptographically signed, hash-chained audit log.

  • Tamper Evidence: Every event is a SHA-256 hash over the RFC 8785 canonical JSON of the event, chained to the previous event's hash. Any modification to a single row breaks the verification chain.
  • Offline Verification: Audit bundles can be exported and verified offline using the npx @makerchecker/proof-verifier tool, removing the need to trust the process that produced the logs.
  • Cryptographic Signing: All decisions are Ed25519-signed.

Integration and Architecture

MakerChecker is designed to be framework-agnostic and integrates with existing AI agent stacks via dedicated connectors:

  • Framework Connectors: Official connectors are available for LangChain and the Claude Agent SDK.
  • SDKs: Full TypeScript and Python SDKs are provided for custom integrations.
  • Deployment Options: Users can choose between the @makerchecker/embedded library for local enforcement or a self-hosted server (deployed via Docker Compose) for centralized authorization, a human-approval inbox, and a review console.

Package Ecosystem

Package License Purpose
packages/scan Apache-2.0 Static risk scanning and classification
packages/embedded Apache-2.0 Runtime governance primitives
packages/proof-verifier Apache-2.0 Offline audit bundle verification
packages/sdk / sdk-python Apache-2.0 Client libraries for server integration
packages/connector-langchain Apache-2.0 LangChain tool governance
packages/connector-claude-agent Apache-2.0 Claude Agent SDK governance
packages/server AGPL-3.0 Centralized gateway and flow engine
packages/web AGPL-3.0 Approval inbox and review console

Community Perspectives

While MakerChecker addresses the need for runtime guardrails, some developers have questioned the necessity of separate AI security frameworks. One commenter on Hacker News suggested that traditional operating system permissions (sysadmin roles and file-level access control) could handle many of these requirements without the need for specialized "bolt-on" AI security tools.

Another perspective highlighted the cyclical nature of AI development, noting that the industry initially had permission-based agents but moved toward unchecked autonomy for the sake of speed, and is now returning to the implementation of safeguards as a reaction to those risks.

Sources