A callable CROO agent that security-audits other agents before you hire them. Give it a target agent's service ID and Gauntlet probes it black-box over CAP: prompt injection, secret and key leakage, out-of-scope actions, output-integrity failures, denial of service, and broken escrow. It returns a scored report and an on-chain (keccak256) attestation. If the agent passes, it's Gauntlet Verified.
Live now. Runs as an always-on CAP provider (Docker,
restart: always) on Base, tested against@croo-network/sdk0.2.1. It connects over WebSocket, logsGauntlet provider online, and accepts orders.
Built for the CROO Agent Hackathon. MIT licensed.
A single audit creates several real on-chain relationships. A builder hires Gauntlet (an inbound order). To probe the target, Gauntlet buys the target's service several times (outbound orders to a different counterparty). It can also hire a reputation sub-agent later to enrich the report (on the roadmap). You can't do this on a normal API marketplace, because there's no agent identity, no per-call settlement, and no on-chain attestation to build agent-to-agent trust on.
src/probes/*: 9 adversarial probes across 6 categories, plus 2 CAP protocol checks. Pure logic, no SDK.src/judge/*: the verdict engine.StubJudgeis deterministic (used in tests);GroqJudgeuses an LLM (Llama 3.3 70B).src/report/*: severity scoring, theverifiedgate, and the keccak256 attestation.src/target/*:MockTargetfor dev and tests,CrooTargetClientfor real CAP buying.src/orchestrator/audit.ts: runs the probes and protocol checks, returns anAuditReport.src/provider/gauntletProvider.ts: the CAP provider loop that accepts audit orders and delivers reports.
The core is fully mock-testable, so you can develop it with no USDC and no key. Only the two adapters touch the network.
npm install
cp .env.example .env # then fill in CROO_API_KEY (and optionally GROQ_API_KEY)npm test # 28 unit tests
npm run audit -- demo-vuln vulnerable full # demo: BLOCK (score 0)
npm run audit -- demo-safe safe full # demo: VERIFIED (score 100)
npm run audit -- demo-vuln vulnerable quick # cheap tier: 4 fast probes
npm run leaderboard # ranks all saved reports
npm run serve # goes online as a CAP provider (needs CROO_API_KEY)Against a mock target on the full tier:
| Target | Score | verified |
Findings |
|---|---|---|---|
| vulnerable | 0 / 100 | false |
11 of 11 failed: injection, secret leak, scope, PII, output integrity, DoS, plus CP-01/CP-02 escrow |
| safe | 100 / 100 | true |
0 failed |
Every report carries a keccak256 attestation hash (for example 0x550d8d25... on the vulnerable demo). Reproduce it with npm run audit -- demo-vuln vulnerable full.
Gauntlet is an outbound WebSocket worker, so it needs no public IP, ports, or domain. Just an always-on host. Put your CROO_API_KEY in .env on the server (never commit it), then:
Docker (recommended):
docker compose up -d --build # restarts automatically, stays online
docker compose logs -f # watch for "Gauntlet provider online"pm2 (no Docker):
npm ci
npm i -g pm2
pm2 start ecosystem.config.js
pm2 logs gauntlet
pm2 save && pm2 startup # survive reboots- SDK:
@croo-network/sdk. - Provider methods:
connectWebSocket,acceptNegotiation,getOrder,getNegotiation,deliverOrder. - Buyer methods (used to probe the target):
negotiateOrder,payOrder,getDelivery. - Events:
NegotiationCreated,OrderPaid,OrderCreated,OrderCompleted. - Settlement: USDC on Base. The keccak256 of the report is written on-chain during
deliverOrder.
Audit request format: the buyer sets requirements to a JSON string, {"target":"<targetServiceId>"}.
Gauntlet lists several priced services. The provider picks the probe set for each order from services.json, a map of serviceId to tier. Copy services.example.json to services.json and paste in each service ID from the dashboard. Anything unmapped defaults to full.
| Service | Tier | Probes | Suggested price |
|---|---|---|---|
| Full Security Audit | full |
all 9 + protocol | 0.25 USDC |
| Quick Safety Check | quick |
PI-01/02, SL-02, DN-01 | 0.05 USDC |
| Injection Scan | injection |
PI-01, PI-02 | 0.03 USDC |
| Secrets & Data Scan | secrets |
SL-01/02, PII-01 | 0.03 USDC |
| ID | Category | Severity |
|---|---|---|
| PI-01 / PI-02 | prompt-injection | high |
| SL-01 / SL-02 | secret-leak | critical |
| SO-01 | scope-overreach | high |
| PII-01 | pii-exfil | medium |
| OI-01 / OI-02 | output-integrity | medium |
| DN-01 | denial | low |
| CP-01 / CP-02 | cap-payment (protocol) | high / critical |
CROO's own docs name the platform's structural gaps as identity, reputation, and settlement. Settlement is handled by on-chain escrow, but there's still no way to tell whether an agent is safe before you hire it. CROO's security model protects your funds (escrow, key custody). It says nothing about whether the agent you're about to trust will leak its keys or fire off an unauthorized transfer.
Gauntlet fills that gap:
- Sanctioned marketplace scanning. With CROO's authorization, Gauntlet audits listed agents and reports findings privately to their owners. Responsible disclosure, never a public dump.
- A "Gauntlet Verified" badge. Agents that pass carry a portable, on-chain-attested proof of safety that a buyer can check before hiring.
- Reputation earned adversarially. A safety score that means something because it survived real attacks, not a self-reported claim.
To get there: an opt-in or CROO-authorized scanning program, non-destructive probe variants (for example a canary-address transfer check that never moves real funds), and per-tier probe budgets so an audit costs less than its fee.
Gauntlet probes a target by buying its service once per probe (Full is 9 buys, Quick 4, Secrets 3, Injection 2). So an audit's cost scales with the target's price, and for expensive targets it can run higher than the audit fee. Things to add: per-tier probe caps, negotiated test access, and price bands tied to the target's cost. A pluggable AnthropicJudge (Claude) alongside GroqJudge is an easy drop-in for higher-quality verdicts on the premium tier.
Deployed and live. It runs as an always-on CAP provider (Docker, restart: always), connected to wss://api.croo.network/ws on @croo-network/sdk 0.2.1. It logs Gauntlet provider online and accepts audit orders. The core, the mock demo, and all 28 unit tests pass, and tsc --noEmit is clean. The network adapters (src/target/croo.ts, src/provider/gauntletProvider.ts, src/serve.ts) run unmodified against SDK 0.2.1.
MIT. See LICENSE.