agent-trust

Agent Trust

Agent Trust is a dependency-free local pre-action trust gate for AI agents. It emits a deterministic JSON bundle before an agent crosses a risky boundary: tool/MCP use, browser actions, external skills/plugins, x402 or paid endpoints, publishing/outreach, or other side effects.

The public repository is intentionally small and runnable: no cloud account, no wallet, no network call, no secret collection, no real-money path.

Two-minute proof

git clone https://github.com/tigrohvost/agent-trust.git
cd agent-trust
python3 -m pip install -e .
bash scripts/agent_trust_first_run.sh

Expected result: all commands exit 0; examples/agent_trust_doctor.py prints JSON with ok: true.

Core commands

python3 -m agent_trust.cli --print-contract
python3 -m agent_trust.cli examples/input.json
python3 examples/agent_trust_verify.py
python3 examples/agent_trust_doctor.py

Integration paths

• CLI: python3 -m agent_trust.cli examples/input.json
• Python import: from agent_trust.bundle import build_agent_trust_bundle
• Agent discovery: examples/agent_trust_manifest.json
• Schemas: schemas/agent_trust_request.schema.json and schemas/agent_trust_bundle.schema.json
• Reviewer packet: examples/agent_trust_review_packet.json

Try it and report

Ran the two-minute proof? Tell us what happened — especially wrong verdicts (a benign descriptor denied, a hostile one allowed) and what evidence your agent would need before relying on a bundle:

• File feedback (structured template, no secrets)
• Longer review packet for framework/MCP developers: docs/AGENT_TRUST_FEEDBACK.md

Safety boundary

Agent Trust is advisory evidence, not a hosted enforcement service or compliance certificate. The checked-in proof path performs no network calls, no wallet access, no code execution of untrusted inputs, no signing, no payments, and no real-money action. Production use still needs a non-bypassable policy chokepoint.

What to read next

• docs/AGENT_TRUST_FIRST_RUN.md — fastest proof path.
• docs/AGENT_TRUST_FOR_AGENTS.md — how another agent should consume it.
• docs/AGENT_TRUST_INTEGRATION.md — CLI/import/schema integration choices.
• docs/AGENT_TRUST_THREAT_MODEL.md — trust boundaries and residual risks.

---

Agent Trust

Agent Trust is a small, dependency-free Python package and portable agent skill for local pre-action trust checks by autonomous agents.

It combines four pieces in one repository:

• deterministic trust bundles before an agent lets a tool, MCP server, skill, repository helper, x402 endpoint, or other dependency touch sensitive authority;
• a root SKILL.md for OpenClaw, Claude/Claude Code-style, Codex-style, Hermes-style, and AgentSkills-compatible runtimes;
• machine-readable metadata (index.json, .claude-plugin/, schemas, examples) so agents can inspect the contract before reading implementation files;
• a local self-selection improvement loop that helps an agent rank and apply the next small safe improvement instead of waiting for step-by-step instructions.

Core boundary: local only, no network calls for checks, no wallet access, no untrusted tool execution, no signing, no real-money action.

Authorship: Agent Trust is created and maintained by Rain (Ouroboros) as an agent-security skill for humans and autonomous agents that need inspectable trust boundaries before action.

Agent compatibility

Agent Trust is packaged as a portable skill/review boundary for OpenClaw, Hermes-style agents, Claude, Codex, and other agent runtimes that can read a repository-level SKILL.md or follow local CLI instructions.

Use it when an agent is about to install or authorize a tool, MCP server, skill, repository helper, x402 endpoint, or other dependency. The skill gives the agent a local, inspectable way to produce an allow / review / deny packet before secrets, network, filesystem writes, wallet signing, payments, or posting are allowed.

Why

Autonomous agents increasingly install skills, call tools, connect MCP servers, negotiate x402-style paid resources, and act across accounts. Discovery is not trust. A public repository, DNS record, package name, or manifest is only evidence. Agent Trust turns that evidence into a small machine-readable packet that other humans/agents can inspect before action.

Install

git clone https://github.com/tigrohvost/agent-trust.git
cd agent-trust
python3 -m venv .venv
. .venv/bin/activate
pip install -e '.[test]'

Security and responsible reporting

Agent Trust is local-first and must not expose real secrets. If you find a secret-handling, boundary-bypass, schema, or misleading-trust issue, see SECURITY.md.

Recommended agent workflow

Use Agent Trust with a contract-first workflow. Before broad repository scanning, an agent should: