sage
Health Pass
- License — License: Apache-2.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 161 GitHub stars
Code Fail
- rm -rf — Recursive force deletion command in packages/claude-code/package.json
Permissions Pass
- Permissions — No dangerous permissions requested
Sage is a lightweight security layer designed to protect AI agents by intercepting and scanning tool calls. It inspects shell commands, file writes, and web requests against threat rules, URL reputation services, and package supply-chain checks before they execute.
Security Assessment
The core function of this tool requires it to intercept and analyze sensitive operations, including shell command executions and file writes. It also makes outbound network requests to perform cloud-based URL reputation and malware checks. No hardcoded secrets were found, and it does not request broadly dangerous system permissions. However, the automated scan flagged a recursive force deletion command (`rm -rf`) inside a package configuration file. While common in build scripts, this represents a minor risk. Overall risk rating: Medium.
Quality Assessment
The project appears to be actively and professionally maintained, with its last repository push occurring today. It uses the standard Apache-2.0 license and provides comprehensive documentation. Community trust is steadily growing, demonstrated by 161 GitHub stars.
Verdict
Use with caution — while the tool is well-maintained and broadly safe for deployment, users should verify the flagged `rm -rf` script to ensure it doesn't impact unintended directories during installation or cleanup.
Lightweight Agent Detection & Response (ADR) layer for AI agents — guards commands, files, and web requests. Part of Gen Agent Trust Hub.
Sage
Safety for Agents - a lightweight Agent Detection & Response (ADR) layer for AI agents that guards commands, files, and web requests.
Sage intercepts tool calls (Bash commands, URL fetches, file writes) via hook systems in Claude Code, Cursor / VS Code, OpenClaw, and OpenCode, and checks them against:
- URL reputation - cloud-based malware, phishing, and scam detection
- Local heuristics - YAML-based threat definitions for dangerous patterns
- Package supply-chain checks - registry existence, file reputation, and age analysis for npm/PyPI packages
- Plugin scanning - scans other installed plugins for threats at session start
Quick Start
Claude Code
Requires Node.js >= 18.
/plugin marketplace add https://github.com/gendigitalinc/sage.git
/plugin install sage@sage
Cursor
Install the official extension from the Cursor extension marketplace. Alternatively, build from source:
pnpm install && pnpm -C packages/extension run package:cursor:vsix
VS Code
Install the official extension from the VS Code extension marketplace. To use Sage’s MCP tools, start the MCP server manually via: MCP: List Server → sage → Start server.
Alternatively, build from source:
pnpm install && pnpm -C packages/extension run package:vscode:vsix
OpenClaw
# From npm (recommended)
openclaw plugins install @gendigital/sage-openclaw
# From source
pnpm install && pnpm build
cp -r packages/openclaw sage && openclaw plugins install ./sage
OpenCode
Use a local source checkout and add the plugin path in OpenCode config:
git clone https://github.com/gendigitalinc/sage
cd sage
pnpm install
pnpm --filter @gendigital/sage-opencode run build
{
"plugin": ["/absolute/path/to/sage/packages/opencode"]
}
See Getting Started for detailed instructions.
Documentation
| Document | Description |
|---|---|
| Getting Started | Installation for all platforms |
| How It Works | Detection layers, data flow, verdicts |
| Configuration | All config options and file paths |
| Threat Rules | YAML rule format and what gets checked |
| Package Protection | npm/PyPI supply-chain checks |
| Plugin Scanning | Session-start plugin scanning |
| AMSI Scanning | Windows antimalware scanning via AMSI |
| Architecture | Monorepo structure, packages, design decisions |
| MCP Server | Shared MCP server architecture + auto-install |
| Development | Building, testing, tooling, conventions |
| FAQ | Common questions |
| Privacy | What data is sent, what stays local |
Platform guides: Claude Code · Cursor / VS Code · OpenClaw · OpenCode
Current Limitations
- MCP tool call interception (
mcp__*) is not yet implemented - Custom user threat definitions (
~/.sage/threats/) are not yet implemented
Privacy
Sage sends URLs and package hashes to Gen Digital reputation APIs. File content, commands, and source code stay local. Both services can be disabled for fully offline operation. See Privacy for details.
Contributing
See CONTRIBUTING.md for development setup, coding conventions, and the threat rule contribution process.
License
Copyright 2026 Gen Digital Inc.
- Source code: Apache License 2.0
- Threat detection rules (
threats/): Detection Rule License 1.1
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found