Who's watching what your AI agent does when you're not looking?
Source: Dev.to
Overview
This isn’t about AI being dangerous. It’s about a habit most of us have developed without noticing.
You start a Claude Code session. The agent asks permission for the first action. You read it, approve. Second action — you read it, approve. Third action — you skim it, approve. By the fourth or fifth, you’ve clicked “don’t ask again for this session” and gone back to whatever you were doing.
That’s not carelessness. It’s a completely rational response to an approval‑fatigue problem that the tools themselves create. The agents ask too often, for too many things, and we adapt by tuning them out.
The problem gets worse when you’re working remotely. I run AI coding sessions in two ways:
- through OpenClaw connected to Telegram, where I send messages and the agent executes actions on my machine
- through Claude.ai on my phone, running a remote session
Either way, you’re watching a small screen, approving actions with limited context, and eventually you stop reading carefully.
One day I came back to my machine and found that the agent had modified files I didn’t expect — not maliciously, just confidently. An .env file was updated, a config changed, a dependency was added. Nothing catastrophic, but I had no record of it. I couldn’t tell what changed, when, or why.
Solution: AgentGuard
AgentGuard is a background daemon that monitors what AI coding agents do to your files during and between sessions. It doesn’t try to stop the agent from working — it gives you visibility into what happened.
What it actually does
- File watching – monitors configured directories for changes to sensitive files (
.env, keys, CI configs,package.json, agent memory files likeCLAUDE.md). - Audit trail – logs each event and can optionally send a Telegram message with Keep / Rollback buttons, even if you’re not at the machine.
- Always‑on – runs as a permanent background daemon (e.g.,
launchdon macOS) so it watches continuously, not just during explicit sessions. - Menu‑bar UI – macOS menu bar icon shows daemon status and recent activity, similar to Docker Desktop’s tray icon.
What I learned building it
- Detection vs. action – Detecting changes was easy; deciding what to do with them was hard. Blocking everything makes the agent useless, while blocking nothing defeats the purpose. The solution I settled on: log everything, alert only on truly important events (credential files, mass deletes, CI config changes), and let the user decide.
- Command interception is tricky – Tools like Codex are compiled Rust binaries that don’t invoke a shell in an interceptable way. A file‑watcher turned out to be more reliable than trying to intercept commands for most agents.
Open questions
- Is this the right layer to solve the problem, or should the agents themselves provide better audit trails?
- Should there be a standard for “what did this session change”?
I built this because I needed it. It has been running on my machine for a few weeks, watching two projects. The log is mostly quiet — which is either good news or a sign that I’m not monitoring the right things.
Getting started
npm install -g agentguard-devFor more details and source code, see the repository: