MakerChecker: Open-Source Security Gateway and Static Scanner for AI Agents
MakerChecker: Open-Source Security Gateway and Static Scanner for AI Agents
MakerChecker is an open-source security framework designed to prevent AI agents from executing unauthorized or dangerous actions. It implements a "deny-by-default" security posture, ensuring that agents can only execute tools and skills they have been explicitly granted, while providing a tamper-evident audit trail for every decision.
Static Risk Scanning with mc scan
MakerChecker includes a static analysis tool, mc scan, which identifies potentially dangerous capabilities within an agent's codebase. The scanner flags consequential actions—such as deleting data, transferring funds, running shell commands, or exfiltrating secrets—and classifies them by risk tier.
Key features of the scanner include:
- Local Execution: The scan runs entirely on the local machine; no data leaves the environment.
- Automated Governance: The tool can automatically generate governance code to mitigate identified risks using the
--fixflag. - Multi-Language Support: It supports code written in Python, JavaScript, and TypeScript.
Runtime Enforcement and Governance
MakerChecker provides an embedded library (@makerchecker/embedded) and a centralized server to enforce role-based access control (RBAC) at the moment a tool is called. This prevents an agent from exceeding its granted limits or approving its own work.
Role-Based Access Control (RBAC)
The system defines "skills" (specific actions) and "roles" (sets of permissions). An agent is assigned a role, and the tool is wrapped in a governance layer that checks if the agent's role possesses the required skill. If the skill is not granted, the system throws a GovernanceDeniedError before the tool executes.
Human-in-the-Loop (HITL) Approvals
For high-risk skills, MakerChecker enforces a segregation of duties. The agent can request a high-risk action, but the action remains gated until a separate human "officer" role signs off on the request. The system structurally prevents the requester from acting as their own approver.
Verifiable Audit Trails
To meet regulatory and auditing requirements, MakerChecker generates a cryptographically signed, hash-chained audit log.
- Tamper Evidence: Every event is a SHA-256 hash over the RFC 8785 canonical JSON of the event, chained to the previous event's hash. Any modification to a single row breaks the verification chain.
- Offline Verification: Audit bundles can be exported and verified offline using the
npx @makerchecker/proof-verifiertool, removing the need to trust the process that produced the logs. - Cryptographic Signing: All decisions are Ed25519-signed.
Integration and Architecture
MakerChecker is designed to be framework-agnostic and integrates with existing AI agent stacks via dedicated connectors:
- Framework Connectors: Official connectors are available for LangChain and the Claude Agent SDK.
- SDKs: Full TypeScript and Python SDKs are provided for custom integrations.
- Deployment Options: Users can choose between the
@makerchecker/embeddedlibrary for local enforcement or a self-hosted server (deployed via Docker Compose) for centralized authorization, a human-approval inbox, and a review console.
Package Ecosystem
| Package | License | Purpose |
|---|---|---|
packages/scan |
Apache-2.0 | Static risk scanning and classification |
packages/embedded |
Apache-2.0 | Runtime governance primitives |
packages/proof-verifier |
Apache-2.0 | Offline audit bundle verification |
packages/sdk / sdk-python |
Apache-2.0 | Client libraries for server integration |
packages/connector-langchain |
Apache-2.0 | LangChain tool governance |
packages/connector-claude-agent |
Apache-2.0 | Claude Agent SDK governance |
packages/server |
AGPL-3.0 | Centralized gateway and flow engine |
packages/web |
AGPL-3.0 | Approval inbox and review console |
Community Perspectives
While MakerChecker addresses the need for runtime guardrails, some developers have questioned the necessity of separate AI security frameworks. One commenter on Hacker News suggested that traditional operating system permissions (sysadmin roles and file-level access control) could handle many of these requirements without the need for specialized "bolt-on" AI security tools.
Another perspective highlighted the cyclical nature of AI development, noting that the industry initially had permission-based agents but moved toward unchecked autonomy for the sake of speed, and is now returning to the implementation of safeguards as a reaction to those risks.