Inventory · Skills · VS Code extensions

Which skills, extensions and agents does your IT team actually know?

A company cannot govern what it cannot see. AI agent inventory maps installed tools, skill roots, VS Code extensions, automations, permissions, origin and links to projects, people and controls.

01 Search intent

The right question is operational.

It is not enough to ask whether the company uses AI. The point is knowing where the agent runs, which skill it loads, which extension is active, what command it can execute and whether sensitive data can leave the environment.

  • Which agents and IDEs are used by team and project.
  • Which skills, MCPs and extensions access shell, network, files and browser.
  • Which tokens and integrations exist, without printing or exposing secrets.
  • Which evidence can demonstrate control for audit.

02 What we deliver

Surface map

The inventory lists agents, extensions, skill roots, manifests and execution points that can affect code, data or credentials.

Risk by permission

Each item receives a practical classification: read, write, shell, network, credential, browser, message automation or API access.

Evidence without secrets

Collection records names, versions, origin and scope. Secrets stay out of the report and out of diffs.

03 Workflow

From intent to evidence.

  1. 01

    Collect local inventory

    Controlled scans identify skill directories, extensions, manifests, public configs and installed agents.

  2. 02

    Cross by project and user

    The result is organized by machine, user, project and organization to separate legitimate use from unapproved shadow AI.

  3. 03

    Generate risks and exceptions

    Unapproved items, high privileges or unknown origin become risk, temporary exception or remediation action.

  4. 04

    Review continuously

    New skills and extensions enter the review cycle, just like dependencies and suppliers already enter security cycles.

04 Practical proof

Why this sells well and solves a real pain.

“Which AI agent is running in my company?” is a simple, executive and urgent question. It opens the conversation with IT, security, compliance and development. Agent Safe Guard shows the practical layer: hooks, skill, installer and public rules that turn agent control into evidence.

  • Technical entry: development environment scan and inventory.
  • Executive entry: shadow AI and privileged agent risk map.
  • ISO entry: evidence of control, review and supplier/third-party code management.

05 FAQ

Direct answers before the conversation.

Does this inventory need to read code or secrets?

Not by default. Collection can start with manifests, names, versions, paths, permissions and origin. Secrets are treated as forbidden to read or print.

Does this apply to OpenClaw, Claude Code, Cursor and others?

Yes. The concept is tool-independent: discover where there is an agent, extension, skill or integration with the power to act in the environment.

How does this become practical action?

The platform can open risks, create evidence, record exceptions and keep recurring review. It is not just a report; it is a governance routine.