Open Source · MIT License

Security scanning for
AI agent configurations

AgentSec detects dangerous permissions, prompt injection risks, secret exposure, and unsafe tool access in MCP servers, Cursor, Claude Desktop, Codex, and Cline configurations — no LLM required.

agentsec scan .
$ agentsec scan /home/dev/mcp-project --format terminal --show-owasp

 Scanning /home/dev/mcp-project...
 OWASP mapping enabled

[CRITICAL] LLM06 MCP shell execution
  File: claude_desktop_config.json
  Server: shell-server
  Description: MCP server can execute shell commands
  Recommendation: Require explicit approval or remove shell access.
  OWASP: LLM06 (Code Injection), AG02 (Unauthorized Execution)

[CRITICAL] LLM08 MCP filesystem write access
  File: mcp.json
  Description: MCP server has filesystem write access
  Recommendation: Restrict filesystem access to read-only or specific directories.
  OWASP: LLM08 (Vector Communication), AG01 (Agency Overreach)

[CRITICAL] LLM02 Secret exposure
  File: .env
  Description: MCP server can access secrets or environment variables
  OWASP: LLM02 (Insecure Output Handling)

Total findings: 4 · Critical: 3 · High: 1 · Medium: 0 · Low: 0
0 Repos scanned in research
0 Total security findings
0 Critical severity
0 Security rules

Why AgentSec?

AI agents are rapidly adopting MCP and tool-based architectures — most developers don't review these configs for security.

Zero LLM Dependencies

Pure static analysis — no API calls, no model costs, no data leaks. Fast enough to run on every commit.

OWASP Mapped

Every rule maps to OWASP Top 10 for LLM Applications and OWASP Agentic Security Top 10. Speak the industry standard.

CI/CD Ready

SARIF output for GitHub CodeQL, JSON for custom pipelines, Markdown for reports. Gate merges with --fail-on.

Multiple Formats

Scans JSON, YAML, TOML, Markdown, Dockerfile — MCP, Cursor, Claude Desktop, Codex, Cline, and custom agent configs.

41 Security Rules

From shell execution and Docker socket access to prompt injection and supply-chain risks. Updated for real-world CVEs.

Baseline & Lockfile

Track findings over time with baseline comparison. Know when new issues appear and when old ones are fixed.

OWASP Mapped Rules

Every security rule maps to the OWASP Top 10 for LLM Applications and OWASP Agentic Security Top 10.

LLM01 HIGH

Prompt Injection

Suspicious tool descriptions, injected instructions, system prompt overrides

LLM02 CRITICAL

Insecure Output Handling

Secret exposure, sensitive file references, credential helper access

LLM06 CRITICAL

Code Injection

MCP shell execution, dynamic code execution, insecure default commands

LLM08 HIGH

Vector Communication

Broad path access, filesystem write, network + filesystem combinations

AG01–AG10 AGENTIC

OWASP Agentic Security Top 10

Agency overreach, unauthorized execution, data exfiltration, supply chain, privilege escalation

Real Results

We scanned 50 public repositories with mcp.json files. Every single one had at least one security issue.

Critical findings
24%
83
High findings
51%
172
Medium findings
13%
44
Low findings
12%
41

Read the full research: RESEARCH_GITHUB.md

Top 5 Most Common Violations

HIGH Broad path access 45/50 repos
LOW No policy file 41/50 repos
HIGH Claude Desktop MCP risks 36/50 repos
CRITICAL Network + filesystem access 31/50 repos
HIGH Web + filesystem access 28/50 repos

Get Started in 10 Seconds

$ pip install agentsec
$ agentsec scan /path/to/project --format terminal
$ git clone https://github.com/locface/AgentSec.git
$ cd AgentSec
$ pip install -e .
$ agentsec scan .
$ docker build -t agentsec .
$ docker run --rm -v $(pwd):/scan agentsec scan /scan

Quick Commands

agentsec scan . --format json JSON output for automation
agentsec scan . --format sarif SARIF for GitHub CodeQL
agentsec scan . --severity critical Only critical findings
agentsec scan . --fail-on high Gate CI on high+ findings
agentsec scan . --show-owasp Show OWASP mapping IDs
agentsec scan . --update-baseline baseline.json Save baseline for diffs

CI/CD Integration

Add AgentSec to any pipeline — GitHub Actions, GitLab CI, or custom runners.

GitHub Actions

Run AgentSec with SARIF upload to GitHub CodeQL for inline annotations on every PR.

CI

GitLab / Jenkins / Custom

JSON output feeds any pipeline. Exit codes gate merges. Baseline comparison prevents regression.

Δ

PR Mode (Coming)

Scan only changed files — fast, focused, perfect for large repos.