AGI Agent Kit (Antigravity) is a powerful framework. With great power comes great responsibility. This document defines the Rules of Engagement for all security and offensive capabilities within the agent framework.
What is an Offensive Skill? Any skill designed to penetrate, exploit, disrupt, or simulate attacks against systems. Examples: Pentesting, SQL Injection, Phishing Simulation, Red Teaming.
Every offensive skill MUST begin with this exact disclaimer in its SKILL.md:
⚠️ AUTHORIZED USE ONLY This skill is for educational purposes or authorized security assessments only. You must have explicit, written permission from the system owner before using this tool. Misuse of this tool is illegal and strictly prohibited.
Offensive skills must NEVER run fully autonomously.
- Requirement: The skill description/instructions must explicitly tell the agent to ask for user confirmation before executing any exploit or attack command.
- Agent Instruction: "Ask the user to verify the target URL/IP before running."
- No Weaponized Payloads: Skills should not include active malware, ransomware, or non-educational exploits.
- Sandbox Recommended: Instructions should recommend running in a contained environment (Docker/VM).
What is a Defensive Skill? Tools for hardening, auditing, monitoring, or protecting systems. Examples: Linting, Log Analysis, Configuration Auditing.
- Data Privacy: Defensive skills must not upload data to 3rd party servers without explicit user consent.
- Non-Destructive: Audits should be read-only by default.
The following packages and tools are banned from this codebase due to confirmed supply chain compromises or critical security vulnerabilities. No skill, directive, execution script, or CI workflow may reference, recommend, or depend on them.
| Package / Tool | Reason | Date Blocked | Alternative |
|---|---|---|---|
litellm |
TeamPCP supply chain backdoor (versions 1.82.7–1.82.8) — credential harvesting, K8s lateral movement, persistent backdoor | 2026-03-25 | Direct SDK wrappers (OpenAI SDK, Langfuse SDK) |
trivy / aquasecurity/trivy-action |
75/76 version tags force-pushed to credential stealer by TeamPCP | 2026-03-25 | Snyk, Checkov, CodeQL, Semgrep |
aquasecurity/setup-trivy |
Tags v0.2.0-v0.2.6 force-pushed — exfiltrates CI/CD secrets | 2026-03-25 | Snyk, Checkov, CodeQL, Semgrep |
- Pre-publish scan:
execution/security_scan.pychecks for blocked package references before release. - CI gate: Any PR introducing a blocked package name in code or docs will be flagged.
- To add a new entry: Append to the table above and add the pattern to
execution/security_scan.pyBLOCKED_PACKAGESlist.
If a blocked package has been remediated and you want to re-allow it:
- Verify the fix with an independent security audit or CVE resolution.
- Open a PR with evidence and update this table with the unblock rationale.
- Requires explicit maintainer approval.
By using this framework, you agree that:
- You are responsible for your own actions.
- The authors and contributors are not liable for any damage caused by these tools.
- You will comply with all local, state, and federal laws regarding cybersecurity.