Posture check for AI coding agents · runs on your machine

Is your AI coding agent wide open right now?

Claude Code, Codex, Cursor and Gemini CLI decide what they're allowed to do in config files you rarely open. Sigil reads those files for you and scores the risk: sandboxes, permissions, hooks, MCP servers. It runs as a single command on your machine, with no account and nothing sent anywhere.

$ curl --proto '=https' --tlsv1.2 -fsSL https://raw.githubusercontent.com/Ju571nK/sigil/main/install.sh | sh
macOS · Linux · Windows  ·  Apache-2.0  ·  Rust, single binary  ·  no telemetry
~/dev — sigil
$sigil scan  # read-only · no daemon
scanning agent config on this host…
overall CRITICAL 8.2 · 7 tools · 14 findings
claude-codeuser-global8.2CRITICAL
codexuser-global5.6HIGH
cursorapplication2.5MEDIUM
antigravityuser-global0.0LOW
claude-code · no_sandbox · broad_matcher · mcp_server_local_command  ·  sigil scan --json for detail
What it reads

The surface that decides what your agent can do

A command only runs because some config allowed it. Sigil scores that config, the same guard surface an attacker probes, across every AI coding agent you use.

Read the deep-dive: why the config file is the real attack surface →
Sandbox boundaries

Whether the agent runs with a sandbox at all, or has it switched off and reaches your whole host.

flags no_sandbox
Tool permissions

Broad allow rules and silent auto-approve that let an agent act without ever asking you.

flags broad_matcher · auto_approve
Hooks

PreToolUse hooks with wildcard matchers or destructive inline commands.

flags destructive_in_inline_command
MCP servers

Project-scoped mcp.json servers set to auto-execute, or remote / shell-launcher servers.

flags auto_execute · remote_mcp
Instruction files

Prompt-injection directives planted in agent instruction files to steer it off-task.

flags prompt_injection
Re-scored on change

Run it whenever, or leave the daemon on. A clean repo at 0/low jumps the moment a risky hook lands.

claude-code · codex · cursor · gemini · antigravity · continue
It measures.
It doesn't block.

Sigil doesn't sit in your way or intercept your commands. It reads posture and gives you a number you can act on. Blocking is opt-in and off by default, so your agent keeps working.

EDR sees the command that ran. Sigil sees the permission that let it run.
One person, many machines

Running agents on a rack of Mac minis? You already have a fleet.

If you've got Claude Code and Codex running unattended across several boxes, each one has its own posture, and you can't watch them all by hand. The same scan rolls up across machines, so one view shows which host is riskiest and why.

9.5
mini-01
4.0
mini-02
1.0
mini-03
7.5
mini-04
0.5
laptop
See the fleet dashboard, sigil-manager →

Find out in one command.

Free, open source, and it never phones home.

Get Sigil on GitHub Read the install guide Share on X