Detektor: CI Scanning Tool for AI Agent Security Risks & OpenPAKT Compliance Report Generator

Detektor is a Windows-based AI agent security scanning tool that focuses on detecting risks such as prompt injection vulnerabilities, excessive tool permissions, and unsafe tool calls. It supports CI/CD pipeline integration and can generate compliance reports in OpenPAKT format, helping development teams identify security issues early.

With the widespread application of LLMs and AI agents, traditional security tools struggle to address new threats. AI agents receive instructions via natural language prompts and interact through tool calls, introducing unique attack surfaces: prompt injection can hijack agent behavior, excessive tool authorization may lead to data leaks or system damage, and unsafe CI configurations allow issues to lurk in production environments. Detektor was developed to target these emerging risks.

Detektor is designed around common risk points of AI agents: 1. Prompt injection identification: Scans prompt files and input paths to find exploitable injection points; 2. Tool permission review: Checks permission configurations and flags excessive authorization (e.g., gaining global file system access when only read access to a specific directory is needed); 3. Unsafe tool call detection: Identifies high-risk calls such as executing system commands or accessing sensitive endpoints, helping evaluate necessity and alternative solutions.

Detektor supports CI/CD pipeline integration to achieve "shift-left security": it automatically scans projects, build folders, or CI output directories during the build process, generating detailed reports containing prompt injection warnings, permission issues, etc. It also supports generating compliance reports in OpenPAKT format—an industry-recognized format that can be used for team sharing, compliance audits, and security status tracking. It is recommended to save these reports as build outputs to form an audit trail.

Detektor is suitable for various scenarios: AI agent projects (conversational/automated workflows/tool-using agents), LLM and tool integration, DevSecOps build checks, prompt security reviews, and permission reviews. Best practices: Run scans before release, before merging, and before deployment to form layered defense—early scans reduce repair costs, while later scans ensure production security.

Detektor is developed based on the .NET framework and supports Windows 10/11. Installation requirements: Stable network, 200MB of available space, user/admin account; install the .NET Desktop Runtime if prompted. Installation steps: Download .exe/.zip → Extract (if zip) → Run (handle Windows security prompts). Usage flow: After launching, point to the project/build/CI directory → Select scan type → Run → View results → Export report.

Common issues and solutions: 1. Unable to start: Open with the original download user, check if the file is blocked by Windows, confirm download completion/zip extraction is complete, install the required .NET runtime; 2. Scan cannot find target: Check path correctness, ensure files are not in nested zips, use local copies. Recommended files to scan: Agent prompt files, tool configuration files, build scripts, CI pipeline files, permission definition files.