Agent Keeper
Tutorials

Install the Agent Keeper Plugin

Add real-time threat detection to Claude Code in 60 seconds. No account, no API key, no configuration. Just install and go.

What you get instantly

  • Threat detection patterns — credential exfiltration, reverse shells, prompt injection, SUID manipulation, DNS exfiltration, and more
  • 4 lifecycle hooks — UserPromptSubmit, PreToolUse, PostToolUse, SessionStart
  • 9 slash commands/agentkeeper:audit, /agentkeeper:secrets, /agentkeeper:inspect, and more
  • Zero network calls — everything runs locally on your machine. No telemetry.
1

Add the Agent Keeper marketplace

In Claude Code, run:

/plugin marketplace add agentkeeper/security

This registers the Agent Keeper plugin catalog with your Claude Code installation. You only need to do this once.

2

Install Agent Keeper

/plugin install agentkeeper

Claude Code registers 9 new slash commands in your session. Hooks are written to ~/.claude/settings.json but do not activate until Claude Code starts up fresh.

3

Restart Claude Code

Quit Claude Code and reopen it. Hooks are loaded once at startup, so a full restart is required before Agent Keeper begins intercepting tool calls.

4

Try it out

Run a security audit of your Claude Code setup:

/agentkeeper:audit

This checks 10 security dimensions — sandbox mode, root execution, secret exposure, git signing, hook coverage, permissions, and more — then gives you a letter grade with actionable recommendations.

Then scan for exposed secrets:

/agentkeeper:secrets

And audit your installed plugins for threats:

/agentkeeper:inspect
5

Connect your dashboard

Link the plugin to a free Agent Keeper account so threats surface in your dashboard and every session contributes to fleet visibility.

/agentkeeper:connect

Opens your browser to approve the device. Sign up at Agent Keeper signup first if you don't already have an account — free, no credit card.

Prefer local-only?
You can skip this step by running /agentkeeper:setup --local instead. Detection still runs against bundled threat patterns, but nothing leaves your machine and you won't see events in a dashboard. You can connect later at any time.
6

Configure warn or block mode

/agentkeeper:setup

Default mode is warn— threats are flagged but execution continues. Switch to block to prevent dangerous commands from executing.

Need team-wide coverage?
The plugin protects individual developers. For fleet-wide policy enforcement where every developer who pulls a repo is automatically covered, use push-hooks for teams.
Source code
The plugin is open source: github.com/rad-security/agentkeeper/tree/main/plugin

Automate these checks with Agent Keeper

One setup flow connects your agent fleet and starts enforcing policy.