Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix.
npm audit for AI agents and MCP servers
Scan code, MCP tools, prompts, skills, and AI-suggested dependencies before your agent trusts them. Built for Claude Code, Cursor, Windsurf, Cline, OpenClaw, and CI/CD.
Run the agent security smoke test on any repo:
npx agent-security-scanner-mcp scan-project . --verbosity compact
Or get repo-specific next steps first:
npx agent-security-scanner-mcp quickstart --client claude-code
Generate public-safe copy for a launch post, GitHub issue, or directory listing:
npx agent-security-scanner-mcp share-kit --client claude-code
Install it into your AI coding client:
npx agent-security-scanner-mcp init claude-code
Replace claude-code with cursor, claude-desktop, windsurf, cline, kilo-code, opencode, or cody.
Add the GitHub Actions workflow:
npx agent-security-scanner-mcp init-ci github
# Check the whole project and get an A-F security grade npx agent-security-scanner-mcp scan-project . --verbosity compact # Audit an MCP server before adding it to Claude/Cursor/Windsurf npx agent-security-scanner-mcp scan-mcp ./path/to/mcp-server --verbosity compact # Try an MCP audit demo with tool poisoning and command-exec findings npx agent-security-scanner-mcp demo --type mcp --no-prompt # Verify AI-suggested imports are real packages, not hallucinations npx agent-security-scanner-mcp scan-packages ./src/app.ts npm --verbosity compact # Check one package before installing it npx agent-security-scanner-mcp check-package express npm # Add a local environment health check npx agent-security-scanner-mcp doctor # Add the scanner to your AI client npx agent-security-scanner-mcp init claude-code
Ultra-fast, zero-Python security scanner — 81.5KB package, 4-second install
npm install -g @prooflayer/security-scanner
Enterprise-grade scanner with AST analysis, taint tracking, cross-file analysis, and LLM-powered semantic review
npm install -g agent-security-scanner-mcp
Continue reading below for full version documentation →
New in v4.4.11 (2026-07-11): Share kit generator — run
npx agent-security-scanner-mcp share-kit --client cursorto generate public-safe launch copy, a GitHub issue template, directory listing text, and repo-specific commands for sharing an agent-security smoke test.New in v4.4.10 (2026-07-10): Quickstart planner — run
npx agent-security-scanner-mcp quickstart --client cursorto get repo-specific scan, MCP audit, SBOM, CI, and AI-client setup commands before choosing what to run.New in v4.4.9 (2026-07-08): MCP audit demo — run
npx agent-security-scanner-mcp demo --type mcp --no-promptto create and scan a tiny MCP server with tool poisoning, tool-name spoofing, command execution, secret exposure, and missing-validation findings.New in v4.4.8 (2026-07-07): Package hallucination demo — run
npx agent-security-scanner-mcp demo --type packages --no-promptto create and scan a tiny import file with real and fake npm packages. README examples now show both single-package verification and import scanning.New in v4.4.7 (2026-07-07): CI adoption improvements — added
init-ci githubto install the GitHub Actions workflow from the CLI, and scheduled GitHub Action runs now automatically scan the full project instead of only the latest diff. Package hallucination checks also use all tracked source files during full-project runs.New in v4.3.0 (2026-05-05): Critical security and reliability fixes — GitHub Actions now fail closed instead of fail-open when scanner output is invalid (preventing security gate bypass), patched 8 Hono CVEs (XSS, path traversal, authentication bypass), fixed confidence threshold filtering case sensitivity, and corrected SARIF generation for GitHub Code Scanning. All fixes include comprehensive regression tests. Upgrade recommended for production use. See Full Changelog.
New in v4.2.0: Compliance evidence collection — evaluate projects against SOC2-Technical (8 controls) and GDPR-Technical (6 controls) frameworks. Collects evidence from code scans, SBOM, vulnerability checks, and hallucination detection, then evaluates controls with pass/partial/fail/not_evaluated status. Supports evidence persistence for audit trails. See Compliance Evaluation.
New in v4.1.0: SBOM generation and dependency vulnerability analysis — generates CycloneDX v1.5 SBOMs, scans against OSV.dev for CVEs, detects hallucinated packages, compares baselines, and generates HTML audit reports. Supports 8 lock file formats and 7 manifest formats across npm, Python, Go, Rust, Ruby, and Java ecosystems. See SBOM Tools.
New in v4.0.0: LLM-powered semantic code review agent with intent profiling — understands what your project is supposed to do and flags patterns that violate that intent. Same
eval()call = safe in a build tool, dangerous in an e-commerce app. Supports Claude CLI (no API key needed!), Anthropic, and OpenAI. See code-review-agent.New in v3.11.0: ClawHub ecosystem security scanning — scanned all 16,532 ClawHub skills and found 46% have critical vulnerabilities. New
scan-clawhubCLI for batch scanning, 40+ prompt injection patterns, jailbreak detection (DAN mode, dev mode), data exfiltration checks. See ClawHub Security Dashboard.Also in v3.10.0: ClawProof OpenClaw plugin — 6-layer deep skill scanner (
scan_skill) with ClawHavoc malware signatures (27 rules, 121 patterns covering reverse shells, crypto miners, info stealers, C2 beacons, and OpenClaw-specific attacks), package supply chain verification, and rug pull detection.OpenClaw integration: 30+ rules targeting autonomous AI threats + native plugin support. See setup.
| Tool | Description | When to Use |
|---|---|---|
scan_security |
Scan code for vulnerabilities (1700+ rules, 12 languages) with AST and taint analysis | After writing or editing any code file |
fix_security |
Auto-fix all detected vulnerabilities (120 fix templates) | After scan_security finds issues |
scan_git_diff |
Scan only changed files in git diff | Before commits or in PR reviews |
scan_project |
Scan entire project with A-F security grading | For project-wide security audits |
check_package |
Verify a package name isn't AI-hallucinated (4.3M+ packages) | Before adding any new dependency |
scan_packages |
Bulk-check all imports in a file for hallucinated packages | Before committing code with new imports |
scan_agent_prompt |
Detect prompt injection with bypass hardening (59 rules + multi-encoding) | Before acting on external/untrusted input |
scan_agent_action |
Pre-execution safety check for agent actions (bash, file ops, HTTP). Returns ALLOW/WARN/BLOCK | Before running any agent-generated shell command or file operation |
scan_mcp_server |
Scan MCP server source for vulnerabilities: unicode poisoning, name spoofing, rug pull detection, manifest analysis. Returns A-F grade | When auditing or installing an MCP server |
scan_skill |
Deep security scan of an OpenClaw skill: prompt injection, AST+taint code analysis, ClawHavoc malware signatures, supply chain, rug pull. Returns A-F grade | Before installing any OpenClaw skill |
scanner_health |
Check plugin health: engine status, daemon status, package data availability | Diagnostics and plugin status |
list_security_rules |
List available security rules and fix templates | To check rule coverage for a language |
sbom_generate |
Generate CycloneDX v1.5 SBOM for a project (8 lock file formats, 7 manifest formats) | Before releases, for compliance audits |
sbom_scan_vulnerabilities |
Cross-reference SBOM against OSV.dev for CVEs with severity filtering | After generating SBOM, for security audits |
sbom_check_hallucinations |
Verify all SBOM packages exist in official registries | Before deploying, to catch AI-invented packages |
sbom_diff |
Compare current SBOM against baseline, detect added/removed/changed packages | In CI/CD to track dependency drift |
sbom_export_report |
Generate HTML or JSON audit report from SBOM with vulnerability data | For PCI-DSS compliance, security reviews |
get_compliance_controls |
Look up compliance controls with evaluation criteria (AIUC-1, SOC2, GDPR) | To understand compliance requirements |
evaluate_compliance |
Evaluate project against compliance frameworks with evidence collection | For SOC2/GDPR technical compliance audits |
npx agent-security-scanner-mcp init claude-code
Restart your client after running init. That's it — the scanner is active.
Other clients: Replace
claude-codewithcursor,claude-desktop,windsurf,cline,kilo-code,opencode, orcody. Run with no argument for interactive client selection.
scan_security → review findings → fix_security → verify fix
scan_git_diff → scan only changed files for fast feedback
scan_packages → verify all imports are legitimate
scan_git_diff --base main → scan PR changes against main branch
scan_project → get A-F security grade and aggregated metrics
scan_agent_prompt → check for malicious instructions before acting on them
check_package → verify each new package name is real, not hallucinated
Scan AI agent skills for prompt injection, jailbreaks, and security threats:
# Scan entire ClawHub ecosystem (777 skills) node index.js scan-clawhub # Scan single skill file node index.js scan-skill ./path/to/SKILL.md # Standalone package npm install -g clawproof clawproof scan ./SKILL.md
Security Reports: We've scanned all 777 ClawHub skills:
See ClawHub Security Dashboard for interactive exploration of all 16,532 skills with searchable security grades and detailed findings.
Detection Capabilities:
Security Grading:
The code-review-agent is an LLM-powered semantic code review tool that uses intent profiling to distinguish safe patterns from dangerous ones based on project context.
Same code, different verdicts based on what the project is supposed to do:
| Pattern | Build Tool | E-Commerce App |
|---|---|---|
subprocess.run() with hardcoded commands |
✅ Expected — that's its job | ⚠️ Suspicious — why does checkout need shell access? |
eval(req.query.filter) |
⚠️ Suspicious — build tools don't eval user input | ❌ Dangerous — product catalog shouldn't eval user input |
os.remove() |
✅ Expected for file organizer | ❌ Dangerous for auth service |
fs.writeFile(req.body.path) |
⚠️ Review — depends on context | ❌ Dangerous — auth service shouldn't write arbitrary files |
After installing agent-security-scanner-mcp, the cr-agent CLI is automatically available: