Temodar Agent is now listed in awesome-bugbounty-tools — a curated bug bounty resources list with 5.9k+ GitHub stars.
AI agent-powered WordPress security scanner for plugin and theme triage, Semgrep analysis, and source-aware investigation workflows.
Temodar Agent is an AI-powered WordPress plugin and theme security analysis platform built for security researchers, product security teams, auditors, and defenders. It combines AI agent workflows, multi-provider LLM orchestration, Semgrep-powered static analysis, and risk-based WordPress reconnaissance in one local-first Docker application.
If you are looking for an AI security scanner for WordPress plugins, an AI agent workflow for code review, or a Semgrep-based vulnerability triage platform, Temodar Agent is designed to make that process faster, more structured, and easier to scale.
|
AI-assisted security dashboard Launch scans, prioritize targets, and review results from one interface |
Semgrep + AI investigation workflow Move from static analysis to source-aware AI review without losing context |
|
|
Temodar Agent helps teams identify which WordPress plugins and themes deserve attention first, run repeatable code analysis, and continue investigation with AI agent systems that stay attached to the target under review.
Core platform capabilities include:
- WordPress plugin and theme scanning
- risk-based target prioritization
- Semgrep-powered static application security testing
- AI agent-assisted investigation threads
- multi-provider AI configuration and execution
- custom Semgrep rule management
- local result persistence and historical review
Temodar Agent is built around an AI agent workflow rather than a simple chat box.
- Open dedicated AI threads per plugin or per theme
- Prepare a trusted source workspace for the selected target before deeper review
- Keep thread-level context attached to the investigation, including:
- conversation summary
- analysis summary
- findings summary
- architecture notes
- important files
- last prepared source path
The current runtime supports multiple AI execution strategies that are already exposed in the application:
- agent
- team
- tasks
- fanout
- auto
This makes Temodar Agent suitable for teams that want to move from a single-agent workflow to more advanced multi-agent analysis patterns inside the same product.
The platform also supports:
- custom
agentspayloads - custom
taskspayloads - fanout configuration
- loop detection settings
- trace and runtime event streaming
- before-run and after-run hook payloads
- manual approval mode
- auto-approve mode
- structured AI output when an output schema is provided
Temodar Agent includes a multi-provider AI configuration system with stored profiles, active profile switching, and connection testing.
Supported providers currently present in the application:
- Anthropic
- OpenAI
- Copilot
- Gemini
- Grok
Provider system features already implemented:
- multiple saved provider profiles
- active provider switching
- model selection per profile
- model list storage per profile
- provider connection testing
- optional custom base URL support
- masked API key handling in the UI layer
Temodar Agent includes a production-oriented Semgrep analysis workflow for WordPress source code review.
The current application ships with support for these default Semgrep rulesets:
- OWASP Top 10
- PHP security
- security audit
The current Semgrep system also supports:
- custom Semgrep rule creation
- custom rule deletion
- rule enable / disable toggling
- bulk enable / disable operations
- ruleset add / remove / toggle actions
- validation of custom rule documents
- bulk Semgrep scanning across a scan session
- persistent local storage for Semgrep outputs
This makes Temodar Agent useful not only as an AI security research tool, but also as a Semgrep operations layer for teams that maintain their own detection logic.
Temodar Agent helps security teams reduce noise before manual review starts.
The scanning system can:
- scan WordPress plugins or themes from public sources
- filter by install counts and update windows
- identify abandoned or user-facing targets
- prioritize packages using metadata, tags, and security-related signals
- assign relative risk labels for faster triage
- stream progress to the dashboard in real time
- store scan sessions for later comparison and follow-up
Temodar Agent is designed for organizations that want:
- a faster way to review large WordPress plugin ecosystems
- an AI agent layer on top of source code analysis
- a bridge between Semgrep findings and human investigation
- reusable investigation memory per target
- a local-first workflow for security research and internal review
Temodar Agent is designed to run with Docker.
You need:
- Docker installed and running
- permission to run Docker commands on your machine
Useful links:
docker pull xeloxa/temodar-agent:latestdocker run -d --name temodar-agent -p 8080:8080 \
-v temodar-agent-data:/home/appuser/.temodar-agent \
xeloxa/temodar-agent:latestlatest is recommended if you want the newest published image, but starting an existing container with docker start temodar-agent does not pull new images. To move to a newer latest, pull the image again and recreate the container.
If you want a pinned release instead of latest, use a version tag:
docker pull xeloxa/temodar-agent:v0.1.3
docker run -d --name temodar-agent -p 8080:8080 \
-v temodar-agent-data:/home/appuser/.temodar-agent \
xeloxa/temodar-agent:v0.1.3Open the dashboard at:
Temodar Agent stores persistent application data in one named Docker volume: temodar-agent-data, mounted at /home/appuser/.temodar-agent.
This is a hard cutover to the canonical runtime root. Existing three-volume installs are no longer the supported Docker contract. Recreate the container with the official one-volume command instead of keeping temodar-agent-plugins or temodar-agent-semgrep mounted.
- Start Temodar Agent with the official
docker runcommand - Open the local dashboard
- Launch a WordPress plugin or theme scan
- Review risk labels and prioritized targets
- Run Semgrep on a selected target or across a session
- Open an AI thread for source-aware follow-up analysis
- Continue investigation with stored context, thread memory, and runtime events
Temodar Agent no longer runs host-side update scripts or local rebuild flows.
To update manually:
docker pull xeloxa/temodar-agent:latest
docker rm -f temodar-agent >/dev/null 2>&1 || true
docker run -d --name temodar-agent -p 8080:8080 \
-v temodar-agent-data:/home/appuser/.temodar-agent \
xeloxa/temodar-agent:latestThe in-app update UI only notifies you about new releases and can copy this manual Docker update command. If you installed a pinned tag such as v0.1.3, update by pulling and rerunning the newer pinned tag you want rather than assuming docker start will move you forward.
If you are upgrading from an older three-volume install, stop using the old plugin and Semgrep volumes and recreate the container with only temodar-agent-data mounted at /home/appuser/.temodar-agent.
This project is intended for authorized security research, defensive analysis, and educational use only. It is designed to help researchers and developers assess WordPress plugin and theme attack surfaces, prioritize risky targets, and review code more efficiently.
Do not use this software against systems, plugins, themes, or environments you do not own or do not have explicit permission to test. The author and contributors are not responsible for misuse, damage, service disruption, data loss, or any legal consequences resulting from improper use.
Always ensure your testing is authorized and compliant with applicable laws, regulations, and disclosure policies.