Getting StartedSecurity Center

Security Center

Kyber includes a built-in Security Center that scans your environment for vulnerabilities, misconfigurations, and threats. It runs as an agent task — the AI performs each check, interprets the results, and writes a structured report you can review in the dashboard.

What it scans

The security scan covers 12 categories:

CategoryWhat it checks
NetworkOpen ports, services bound to 0.0.0.0, unexpected listeners
SSHPassword auth, root login, key permissions, unknown authorized keys
PermissionsWorld-writable files, loose permissions on keys and credentials
SecretsAPI keys in shell configs, .env files with sensitive data
SoftwareOutdated packages (system, Homebrew, npm, pip)
ProcessesSuspicious CPU usage, unknown cron jobs, unusual processes
FirewallWhether the system firewall is enabled
DockerRunning containers, images, containers running as root
GitSecrets in recent commits, .gitignore coverage
KyberConfig permissions, exposed API keys, dashboard token strength
MalwareBackground ClamAV malware scanning (trojans, viruses, rootkits)
Skill ScanCisco AI Defense skill-scanner for prompt injection, data exfiltration, and malicious code in skills

Running a scan

From the dashboard: Open the Security Center tab and click Run Scan Now. The agent works through all checks and writes a report. Progress is shown in real time with step details and elapsed time.

From chat: Ask the agent in any channel or the CLI:

scan my system for security issues
run a security audit

The agent produces a JSON report saved to ~/.kyber/security/reports/.

Reading the report

Each report includes:

  • A security score from 0–100 (starts at 100, deductions per finding severity)
  • A summary with counts by severity: critical, high, medium, low
  • Individual findings with ID, category, severity, description, remediation steps, and evidence
  • Category status for each area: pass, warn, fail, or skip
  • AI notes with plain-language analysis and recommendations

Reports are viewable in the dashboard’s Security Center tab, or as JSON files in ~/.kyber/security/reports/.

Issue tracking

The Security Center tracks findings across scans automatically:

  • New — first time this issue has been seen
  • Recurring — seen in a previous scan and still present
  • Resolved — previously seen but no longer detected

Tracking is based on fingerprinting (category + title), so the same issue is recognized across scans even if the agent assigns different IDs. You can dismiss findings you’ve reviewed and decided aren’t a concern — dismissed findings won’t appear in future reports.

The tracker lives at ~/.kyber/security/issues.json.

Severity levels

SeverityScore impactExamples
Critical−20Malware detected, root SSH with no password
High−10Redis bound to all interfaces, world-readable private keys
Medium−5Firewall disabled, ClamAV not installed
Low−2Outdated packages

Only genuine security risks are reported. Informational items like missing metadata or configuration preferences are not included.

Malware scanning with ClamAV

The malware category uses ClamAV, a free, open-source antivirus engine maintained by Cisco Talos. Kyber runs ClamAV scans automatically in the background on a daily schedule — you don’t need to trigger them manually.

How it works

Kyber registers a daily cron job (kyber-clamscan) that runs at 3:00 AM in your configured timezone. The scan runs in the background using clamscan (standalone) or clamdscan (daemon mode, if available) and writes results to ~/.kyber/security/clamscan/.

The dashboard’s Security Center shows:

  • The latest scan result (clean, threats found, or error)
  • Which scanner was used (standalone or daemon)
  • When the next scheduled scan will run
  • Recent scan history

You can also trigger a scan manually from the dashboard by clicking Run Now on the Malware Scan card.

Installing ClamAV

kyber setup-clamav

This will:

  1. Detect your OS and package manager
  2. Install ClamAV (brew install clamav on macOS, apt/dnf/zypper/pacman on Linux)
  3. Configure freshclam.conf and clamd.conf (socket directory, database path, daemon settings)
  4. Create the socket directory with correct ownership so clamd can start
  5. Enable and start the clamd daemon and freshclam signature updater as system services
  6. Download the latest virus signature database (~300MB on first run)
  7. Verify everything is actually running before reporting success

If ClamAV is already installed, the command verifies your config and fixes any issues. The daily scan cron job is registered automatically at startup — no manual scheduling needed.

Manual installation

macOS (Homebrew):

brew install clamav
cp "$(brew --prefix)"/etc/clamav/freshclam.conf.sample "$(brew --prefix)"/etc/clamav/freshclam.conf

Edit the config and comment out or remove the line that says Example, then download signatures:

freshclam

Debian / Ubuntu:

sudo apt install clamav
sudo freshclam

Fedora / RHEL / AlmaLinux:

sudo dnf install clamav clamd clamav-update
sudo freshclam

For other platforms, see the official ClamAV docs.

What gets scanned

ClamAV performs a full system scan starting from /, so it works consistently across desktops, laptops, and VPS environments. Common non-essential directories are excluded to keep scan times reasonable:

  • /proc, /sys, /dev, /run, /snap (virtual/system filesystems)
  • .git, node_modules, .venv, __pycache__, .cache, .npm, .nvm (development noise)
  • .Trash, Library/Caches (macOS)

Keeping signatures up to date

Signature updates are handled automatically by the freshclam service that kyber setup-clamav enables. You can also re-run the setup command to verify and fix your installation:

kyber setup-clamav

Skill security scanning

The skill scan category uses the Cisco AI Defense skill-scanner to detect threats in installed agent skills. It checks for:

  • Prompt injection attacks
  • Data exfiltration patterns
  • Malicious code and unsafe network calls
  • Behavioral dataflow anomalies
  • YARA rule matches

Installing the skill scanner

kyber setup-skillscanner

This installs the skill-scanner CLI tool. Once installed, future security scans automatically include skill scanning.

What gets scanned

The scanner checks all skills in:

  • ~/.kyber/skills/ (user-installed skills)
  • ~/kyber-workspace/skills/ (workspace skills)

Only actual security threats are reported. Missing metadata (like licenses or descriptions) is not flagged — those aren’t security issues.

If the skill scanner is not installed, the security scan notes this and skips the category. All other checks still run normally.

Report history

Kyber keeps the 20 most recent scan reports. Older reports are automatically cleaned up after each scan. Reports are stored as JSON at:

~/.kyber/security/reports/report_YYYY-MM-DDTHH-MM-SS.json
UninstallingOverview