AgentSec detects dangerous permissions, prompt injection risks, secret exposure, and unsafe tool access in MCP servers, Cursor, Claude Desktop, Codex, and Cline configurations — no LLM required.
$ agentsec scan /home/dev/mcp-project --format terminal --show-owasp Scanning /home/dev/mcp-project... OWASP mapping enabled [CRITICAL] LLM06 MCP shell execution File: claude_desktop_config.json Server: shell-server Description: MCP server can execute shell commands Recommendation: Require explicit approval or remove shell access. OWASP: LLM06 (Code Injection), AG02 (Unauthorized Execution) [CRITICAL] LLM08 MCP filesystem write access File: mcp.json Description: MCP server has filesystem write access Recommendation: Restrict filesystem access to read-only or specific directories. OWASP: LLM08 (Vector Communication), AG01 (Agency Overreach) [CRITICAL] LLM02 Secret exposure File: .env Description: MCP server can access secrets or environment variables OWASP: LLM02 (Insecure Output Handling) Total findings: 4 · Critical: 3 · High: 1 · Medium: 0 · Low: 0
AI agents are rapidly adopting MCP and tool-based architectures — most developers don't review these configs for security.
Pure static analysis — no API calls, no model costs, no data leaks. Fast enough to run on every commit.
Every rule maps to OWASP Top 10 for LLM Applications and OWASP Agentic Security Top 10. Speak the industry standard.
SARIF output for GitHub CodeQL, JSON for custom pipelines, Markdown for reports. Gate merges with --fail-on.
Scans JSON, YAML, TOML, Markdown, Dockerfile — MCP, Cursor, Claude Desktop, Codex, Cline, and custom agent configs.
From shell execution and Docker socket access to prompt injection and supply-chain risks. Updated for real-world CVEs.
Track findings over time with baseline comparison. Know when new issues appear and when old ones are fixed.
Every security rule maps to the OWASP Top 10 for LLM Applications and OWASP Agentic Security Top 10.
Suspicious tool descriptions, injected instructions, system prompt overrides
Secret exposure, sensitive file references, credential helper access
MCP shell execution, dynamic code execution, insecure default commands
Broad path access, filesystem write, network + filesystem combinations
Agency overreach, unauthorized execution, data exfiltration, supply chain, privilege escalation
We scanned 50 public repositories with mcp.json files. Every single one had at least one security issue.
Read the full research: RESEARCH_GITHUB.md
$ pip install agentsec
$ agentsec scan /path/to/project --format terminal
$ git clone https://github.com/locface/AgentSec.git
$ cd AgentSec
$ pip install -e .
$ agentsec scan .
$ docker build -t agentsec .
$ docker run --rm -v $(pwd):/scan agentsec scan /scan
agentsec scan . --format json
JSON output for automation
agentsec scan . --format sarif
SARIF for GitHub CodeQL
agentsec scan . --severity critical
Only critical findings
agentsec scan . --fail-on high
Gate CI on high+ findings
agentsec scan . --show-owasp
Show OWASP mapping IDs
agentsec scan . --update-baseline baseline.json
Save baseline for diffs
Add AgentSec to any pipeline — GitHub Actions, GitLab CI, or custom runners.
Run AgentSec with SARIF upload to GitHub CodeQL for inline annotations on every PR.
JSON output feeds any pipeline. Exit codes gate merges. Baseline comparison prevents regression.
Scan only changed files — fast, focused, perfect for large repos.