This product was not featured by Product Hunt yet. It will not be visible on their landing page and won't be ranked (cannot win product of the day regardless of upvotes).
Product upvotes vs the next 3
Waiting for data. Loading
Product comments vs the next 3
Waiting for data. Loading
Product upvote speed vs the next 3
Waiting for data. Loading
Product upvotes and comments
Waiting for data. Loading
Product vs the next 3
Loading
diplomat-agent
Find unguarded tool calls in your AI agent code
We scanned 16 AI agent repos (Skyvern, Dify, CrewAI, PraisonAI, Khoj). 76% of tool calls with real-world side effects, payments, emails, DB writes, deletes, had zero runtime protection. diplomat-agent finds them : pip install diplomat-agent diplomat-agent scan Zero config. Zero deps (stdlib only). AST, not regex. Outputs: terminal, JSON, SARIF 2.1.0, CSAF 2.0, and toolcalls.yaml — a Behavioral BOM of every side effect your agent can trigger. Maps to OWASP Agentic Top 10. Apache-2.0.
Hey Product Hunt 👋
I built diplomat-agent after noticing a structural pattern across AI agent codebases.
Functions that can charge cards, send emails, and delete data reach production with nothing between the LLM's decision and the real-world consequence. This isn't negligence — framework authors say hard enforcement is the operator's job. In practice, that operator is often nobody.
Concrete example from our scan: Khoj's ai_update_memories calls session.delete() + session.add() with no confirmation, no rate limit, no validation. One adversarial prompt wipes a user's memory store.
The scanner uses AST (not regex) and is intra-procedural + same-package decorators. Limits are documented — it's a static layer, not a silver bullet. The runtime layer (diplomat-gate) is a separate project.
Full methodology and per-repo breakdown in REALITY_CHECK_RESULTS.md.
Curious what your agent codebase looks like when you scan it. Happy to dig into specific findings.
About diplomat-agent on Product Hunt
“Find unguarded tool calls in your AI agent code ”
diplomat-agent was submitted on Product Hunt and earned 3 upvotes and 1 comments, placing #160 on the daily leaderboard. We scanned 16 AI agent repos (Skyvern, Dify, CrewAI, PraisonAI, Khoj). 76% of tool calls with real-world side effects, payments, emails, DB writes, deletes, had zero runtime protection. diplomat-agent finds them : pip install diplomat-agent diplomat-agent scan Zero config. Zero deps (stdlib only). AST, not regex. Outputs: terminal, JSON, SARIF 2.1.0, CSAF 2.0, and toolcalls.yaml — a Behavioral BOM of every side effect your agent can trigger. Maps to OWASP Agentic Top 10. Apache-2.0.
On the analytics side, diplomat-agent competes within Open Source, Developer Tools, Artificial Intelligence and GitHub — topics that collectively have 1.1M followers on Product Hunt. The dashboard above tracks how diplomat-agent performed against the three products that launched closest to it on the same day.
Who hunted diplomat-agent?
diplomat-agent was hunted by Josselin Guarnelli. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.
For a complete overview of diplomat-agent including community comment highlights and product details, visit the product overview.
Josselin Guarnelli