Independent. Neutral. Evidence-based.

IGLIGQ Methodology

IGLIGQ gives AI agent packages an install-time trust score by combining static analysis, capability extraction, confidence labels and human review where requested.

No code executionStatic scanner runs first.Findings require evidence paths.Free preview remains summary-only.

Scoring model

A result should explain what was found, why it matters, how confident the scanner is and what to fix next.

IGLIGQ scoring lanes
Score laneWeightExamples
Capability exposure30%Filesystem write, shell execution, broad network and autonomous publish or send actions.
Data handling and secrets20%Credential patterns, environment usage, PII handling, storage paths and external transfers.
Prompt and semantic surface20%Instruction override, hidden tool instructions, identity manipulation and behavior mismatch.
Supply chain and dependencies15%Unpinned dependencies, install scripts, risky packages and abandoned repository signals.
Governance and readiness15%Human approval, logs, error handling, disclosure quality and artifact completeness.

Evidence discipline and confidence labels

High

Deterministic pattern and direct evidence path.

Medium

Heuristic pattern or indirect evidence that may need context.

Low

Insufficient context, ambiguous text or generic rule.

Human verified

Reviewed by an IGLIGQ auditor.

Sample module

Capability Bill

A structured view of what the package appears able to read, write, call, execute or expose.

Sample capability evidence
CapabilityActionSeverityConfidenceEvidence
Network accessCalls external mail APIHighHighscripts/send.ts -> fetch(api.mailprovider.example)
Filesystem writeWrites local export filesMediumMediumsrc/exporter.ts -> fs.writeFile(outputPath)
Prompt surfaceContains oversight-reduction wordingMediumMediumSKILL.md contains autonomous retry and approval-bypass language
Secrets handlingReads environment variablesMediumLowconfig/mail.ts -> process.env.MAIL_API_TOKEN

Sample module

Claims vs Behavior

IGLIGQ compares stated purpose with visible behavior, permissions, external services and risky instructions.

Stated purpose

  • Summarizes Gmail threads
  • Drafts follow-up replies

Observed behavior

  • Calls external mail API
  • Writes local export files

Mismatch labels

  • External data transfer not disclosed
  • Storage behavior not disclosed

Paid next step

Verified Audit for public trust

Request a human-reviewed report when you need a public badge, procurement-ready PDF or enterprise private review. Review payment covers the audit process, not a guaranteed pass.

Use the Method

Start with the browser-side free preview, inspect the sample report, then request a human audit if you need public proof or enterprise review.