You deployed a Python AI agent. Do you know every function it can call that writes to a database, sends an email, charges a card, or deletes data—and which ones have zero checks? Diplomat-agent answers that question in about two seconds per thousand-file repo using static AST analysis, no runtime required.
The Agent Governance Gap
Traditional web apps have humans clicking buttons. The UI enforces validation, confirmation dialogs pop up, rate limits exist per session. In an agentic system, the LLM decides which functions to call, with what arguments, how many times. It doesn't know your business rules. It can loop, hallucinate arguments, or get prompt-injected. Without guards in the code itself, there's nothing between the model's decision and real-world consequences.
What Diplomat-Agent Detects
The scanner flags 40+ patterns across eight categories: database writes (session.commit(), .save(), .create()), deletes (session.delete(), .remove()), HTTP mutations (requests.post(), httpx.put()), payment operations (stripe.Charge.create(), stripe.Refund.create()), email/messaging (smtp.sendmail(), ses.send_email()), agent invocations (graph.ainvoke(), Runner.run_sync()), destructive commands (subprocess.run(), exec()), and publish/upload operations (s3.put_object()). What counts as a guard: input validation, rate limiting, auth checks, confirmation steps, idempotency keys, retry bounds.
The Numbers Are Bad
The team scanned 16 open-source agent repositories and found 70.9% of analyzable tool calls have no guard at all—with a 1.7% opacity rate measured via inter-procedural tracing across 7,552 total tool calls. Breaking it down by repo: Skyvern had 58% unguarded (435 of 753), AutoGPT hit 70% (469 of 668), Dify landed at 71% (967 of 1,361), PraisonAI topped the chart at 86% (1,106 of 1,281), and CrewAI came in at 75% (317 of 425). Application-layer repos averaged roughly 62% unguarded across nearly 3,000 tool calls.
CI, IDE, and Pre-Commit Integrations
The tool ships as a pip package with zero external dependencies—just Python's stdlib ast module under the hood. Teams can block unguarded PRs via diplomat-agent scan . --fail-on-unchecked in CI pipelines, integrate with Copilot Chat (VS Code, Cursor, Windsurf) by selecting "Diplomat Reviewer" in the agent dropdown, or use Claude Code by asking it to "scan for unguarded tool calls." A pre-commit hook is available at version v0.5.3, and SARIF output feeds directly into VS Code's Problems panel or GitHub Code Scanning.
Beyond Static Analysis: The Diplomat Suite
diplomat-agent finds what your agent can do statically—before deployment. The companion tool diplomat-gate enforces CONTINUE/REVIEW/STOP verdicts at runtime with sub-millisecond latency and 15+ pre-built policies for payments, emails, and shell commands. For compliance teams, diplomat.run provides a hosted control plane with hash-chained immutable audit trails and export capabilities aligned to OWASP Agentic Top 10, EU AI Act, NIST, and DORA standards.
Output Formats and SBOM Generation
Results come in Terminal (human review), JSON (automation/IDE agents), SARIF 2.1.0 (VS Code/GitHub), CSAF 2.0 (security teams/CERTs), Markdown (documentation), or Registry format for generating a toolcalls.yaml behavioral SBOM—think requirements.txt but describing what your agent can do, not what it depends on. Teams commit this file and diff it in PRs so new capabilities surface automatically during review.
Known Limitations
Static analysis only—no runtime detection. Python only; TypeScript support is on the roadmap. Inter-procedural tracing handles same-package top-level functions at depth 2 maximum—class methods, cross-package chains, and deeper call stacks require manual # checked:ok annotations. MCP scanning covers FastMCP and official SDK decorators but not bare @tool imports or TypeScript/Node servers.
Key Takeaways
- 70%+ of tool calls in scanned open-source agent repos have zero governance checks
- Installation is pip install diplomat-agent; full scan takes ~2 seconds per thousand files
- Output formats include SARIF, CSAF, JSON, and a behavioral SBOM for PR diffing
- Companion runtime guard (diplomat-gate) enforces policies in <1ms with pre-built payment/email policies
The Bottom Line
The agent governance problem is real and widespread—most of these repos were built by developers who knew what they were doing, yet the defaults leave dangerous gaps. Diplomat-agent makes that visible, which is the first step toward fixing it. Whether teams actually close those gaps before production incidents force the issue remains to be seen.