Claude Code, Codex, Cursor and Gemini CLI decide what they're allowed to do in config files you rarely open. Sigil reads those files for you and scores the risk: sandboxes, permissions, hooks, MCP servers. It runs as a single command on your machine, with no account and nothing sent anywhere.
curl --proto '=https' --tlsv1.2 -fsSL https://raw.githubusercontent.com/Ju571nK/sigil/main/install.sh | sh
A command only runs because some config allowed it. Sigil scores that config, the same guard surface an attacker probes, across every AI coding agent you use.
Read the deep-dive: why the config file is the real attack surface →Whether the agent runs with a sandbox at all, or has it switched off and reaches your whole host.
Broad allow rules and silent auto-approve that let an agent act without ever asking you.
PreToolUse hooks with wildcard matchers or destructive inline commands.
Project-scoped mcp.json servers set to auto-execute, or remote / shell-launcher servers.
Prompt-injection directives planted in agent instruction files to steer it off-task.
Run it whenever, or leave the daemon on. A clean repo at 0/low jumps the moment a risky hook lands.
Sigil doesn't sit in your way or intercept your commands. It reads posture and gives you a number you can act on. Blocking is opt-in and off by default, so your agent keeps working.
If you've got Claude Code and Codex running unattended across several boxes, each one has its own posture, and you can't watch them all by hand. The same scan rolls up across machines, so one view shows which host is riskiest and why.
Free, open source, and it never phones home.