Praxen

agent behavior verifier · Version 0.7.8

Make sure your agent does its job — and only its job.

That's where the risk actually lives: most agentic security and safety failures come down to an agent not doing its job — malfunctioning, misaligned, or adversarially subverted.

Praxen is named for praxis (Ancient Greek πρᾶξις), the act of turning theory into practice — which is exactly its job: verifying that an agent's declared intent (the theory) actually shows up in its observed behavior (the practice).

📦 Install with Claude Code — /plugin marketplace add open-agent-ai-security/praxen then /plugin install praxen@open-agent-ai-security. Full guide: docs/installation.md.

👀 See a real report first — the live FinBot analysis report, rendered on GitHub Pages.

Why behavior verification?

Praxen is the open-source reference implementation of Agent Behavior Verification (ABV) — a proactive control model for AI agents and digital workers. The premise is the same one identity and access management applies to human employees: every actor has an authorized role, and the controls have to actually enforce it.

And a misbehaving agent is hard to catch: whatever the cause, it surfaces the same way — as wrong behavior. So the only reliable signal is the behavior itself.

That's why screening for prompt injections, or scanning code for known-bad patterns, isn't enough. Those are necessary but partial: they catch some inputs and some implementation flaws, not the question that actually matters — is this agent going to do, or is it doing, the thing it was deployed to do, and nothing else?

Answering that requires two things Praxen makes first-class:

1. A wholesale way to define the agent's job — its mission, authorized tools, approved channels, counterparties, and forbidden actions. That's the Worker Remit.
2. A way to test reality against that definition — point Praxen at the agent's code, its live deployment state, or its behavioral history, and get back exactly where observed behavior diverges from declared intent.

Define the job. Test against the job. Everything else in Praxen serves those two steps.

How it works (30 seconds)

• You write a Worker Remit — a markdown policy document declaring what the agent is allowed to do — by hand, or have Praxen draft one from your description or docs. (authoring guide)
• You point Praxen at evidence — source code, deployment state, behavioral logs, governance docs, or any mix. (usage)
• Praxen reports the gap. Every finding answers a single question: does observed behavior match declared intent? (reading reports)

In practice, that's one sentence to your coding agent — e.g. "Run a Praxen behavior analysis on ./my-agent" — and Praxen does the rest: it finds (or asks for) the Worker Remit, reads the workspace, and writes the report.

Findings land in a self-contained HTML report, a machine-readable JSON file, and a plain-text summary in ./reports/. Nothing phones home.

Praxen runs before deployment and on each release — pre-deployment verification of the agent's controls against its remit. Runtime monitoring of the deployed agent (Agent Behavior Analytics, ABA) is a complementary layer outside Praxen's scope.

What Praxen verifies

Every analysis runs a set of named verification patterns, including:

• Policy-implementation divergence — the code or behavior doesn't do what the policy document says
• Credential exposure — secrets in unexpected locations across the workspace
• Configuration gaps — auto-approved exec, disabled loop detection, missing rate limits
• Capability drift — new tools or outbound destinations not in the authorized baseline
• Compound signal reasoning — individual findings chained when they combine into a high-severity attack path

…and more — supply-chain risk (unpinned dependencies, unreviewed plugins), declared-but-never-consulted controls, empty security-stub files (planned-but-unbuilt sandboxes, approval gates, redactors), and secondary prompt discovery (session-loaded identity files like SOUL.md / AGENTS.md / MEMORY.md audited as system prompts). See docs/usage.md and PRAXEN_SPEC.md for the full set.

Each finding is tagged against the OWASP Top 10 for LLM Applications 2025, OWASP Top 10 for Agentic AI Applications 2026, the OWASP Secure MCP Server Development Guide 2026 (when MCP config is present), and the RAISE Framework (six-category 0–5 maturity score). Reports include per-framework OWASP LLM Top 10 and OWASP Agentic Top 10 coverage grids — browse the live OWASP Coverage Report for the aggregate across Praxen's example suite. See docs/owasp.md and docs/RAISE.md for the frameworks, and docs/interpreting-reports.md for how they appear on a report.

Get started

• Installation — plugin marketplace install or unzipped release
• Quickstart — first report against the bundled finbot example in about five minutes
• Writing Worker Remits — authoring the policy document
• Usage — running an analysis end-to-end
• Interpreting Reports — reading the HTML / JSON / TXT outputs
• Challenging and Revising Findings — what to do when you disagree
• Full documentation index

Prerequisites: a coding agent (tested against Claude Code; any agent with tool-use and multi-step instruction-following works) and Python 3.9+ on the PATH for the report renderer. No pip install; the renderer is stdlib-only.

Examples

The examples/ directory contains real analyses against deliberately vulnerable agents from the OWASP Agentic AI CTF and the Damn Vulnerable AI Agent project. Each example ships with the Worker Remit we wrote, the HTML report, and the JSON findings — see examples/README.md for the walkthrough.

Repository

• docs/ — full documentation
• examples/ — sample analyses against real vulnerable agents
• tests/ — pre-release regression suite (twelve targets, source repo only — not in the distribution zip)
• CHANGELOG.md · SECURITY.md · CODE_OF_CONDUCT.md · CONTRIBUTING.md
• PRAXEN_SPEC.md — full technical specification

Project sponsor

Praxen is sponsored by Exabeam. Exabeam contributed the initial code and continues to provide ongoing support and contributions to the project as part of its commitment to security in an increasingly agentic world.

License

Praxen is licensed under the Apache License, Version 2.0. Portions of the knowledge base (skills/behavior-verifier/knowledge/) are distilled from OWASP Gen AI Security Project publications and used under CC BY-SA 4.0; see NOTICE for attribution. Contributions are welcome under the same license, with a DCO sign-off — see CONTRIBUTING.md.