2026-07-14
A machine running an AI agent is a rich target: it usually has SSH keys, cloud credentials, a browser profile, LLM API keys, and sometimes a funded crypto wallet — all reachable by anything the agent installs. Public audits of skill marketplaces keep finding the same playbook.
~/.ssh/id_rsa) — lateral movement into other hosts.~/.aws/credentials, env tokens) — direct access to infrastructure and billing.Fake “prerequisites” that ask the agent to run a setup command,
curl | bash chains, base64-encoded payloads, install-lifecycle scripts that run
automatically on npm install, and prompt-injection text aimed at the agent reading the
skill. Lazaretto screens for each of these deterministically.
curl -s https://lazaretto.dev/v1/known-bad/<sha256> # free
curl -s -X POST https://lazaretto.dev/v1/scan -H 'content-type: application/json' \
-d '{"target":{"type":"clawhub_skill","ref":"owner/skill"},"depth":"full"}'
A one-cent-scale check before install is cheap next to a drained wallet or a leaked cloud key. Reports are signals, not a warranty — but they surface the exact behavior, with evidence, before the code runs.
Lazaretto is the pre-install checkpoint agents call themselves. Try it · pricing.