agent-security-scanner-mcp - npm
npm
Search<br>Sign UpSign In
agent-security-scanner-mcp<br>4.4.7 • Public • Published a day ago<br>Readme<br>Code Beta<br>4 Dependencies<br>0 Dependents<br>67 Versions
agent-security-scanner-mcp
npm audit for AI agents and MCP servers
Scan code, MCP tools, prompts, skills, and AI-suggested dependencies before your agent trusts them. Built for Claude Code, Cursor, Windsurf, Cline, OpenClaw, and CI/CD.
Start Here
Run the agent security smoke test on any repo:
npx agent-security-scanner-mcp scan-project . --verbosity compact
Install it into your AI coding client:
npx agent-security-scanner-mcp init claude-code
Replace claude-code with cursor, claude-desktop, windsurf, cline, kilo-code, opencode, or cody.
Add the GitHub Actions workflow:
npx agent-security-scanner-mcp init-ci github
What To Run Before You Trust An Agent
# Check the whole project and get an A-F security grade<br>npx agent-security-scanner-mcp scan-project . --verbosity compact
# Audit an MCP server before adding it to Claude/Cursor/Windsurf<br>npx agent-security-scanner-mcp scan-mcp ./path/to/mcp-server --verbosity compact
# Verify AI-suggested imports are real packages, not hallucinations<br>npx agent-security-scanner-mcp scan-packages ./src/app.ts npm --verbosity compact
# Add a local environment health check<br>npx agent-security-scanner-mcp doctor
# Add the scanner to your AI client<br>npx agent-security-scanner-mcp init claude-code
🎯 Two Versions Available
🔥 ProofLayer (Lightweight) - NEW!
Ultra-fast, zero-Python security scanner — 81.5KB package, 4-second install
npm install -g @prooflayer/security-scanner
⚡ 4-second install (vs 45s traditional scanners)
📦 81.5KB package (vs 50MB+ alternatives)
🚀 Instant scans - pure regex, no Python/LLM
🛡️ 400+ security rules across 9 languages
🎯 7 MCP tools for AI agents
✅ Zero dependencies on Python
💯 MIT licensed - free for commercial use
📖 ProofLayer Documentation →
🔬 Full Version (Advanced)
Enterprise-grade scanner with AST analysis, taint tracking, cross-file analysis, and LLM-powered semantic review
npm install -g agent-security-scanner-mcp
🧬 AST + Taint Analysis - deep code understanding
🔍 1,700+ security rules across 12 languages
📊 Cross-file tracking - follow data flows
🎯 11 MCP tools + CLI commands
📦 4.3M+ package verification (bloom filters)
🐍 Python analyzer for advanced features
🤖 LLM-powered code review - semantic security analysis with intent profiling
Continue reading below for full version documentation →
New in v4.4.7 (2026-07-07): CI adoption improvements — added init-ci github to install the GitHub Actions workflow from the CLI, and scheduled GitHub Action runs now automatically scan the full project instead of only the latest diff. Package hallucination checks also use all tracked source files during full-project runs.
New in v4.3.0 (2026-05-05): Critical security and reliability fixes — GitHub Actions now fail closed instead of fail-open when scanner output is invalid (preventing security gate bypass), patched 8 Hono CVEs (XSS, path traversal, authentication bypass), fixed confidence threshold filtering case sensitivity, and corrected SARIF generation for GitHub Code Scanning. All fixes include comprehensive regression tests. Upgrade recommended for production use. See Full Changelog.
New in v4.2.0: Compliance evidence collection — evaluate projects against SOC2-Technical (8 controls) and GDPR-Technical (6 controls) frameworks. Collects evidence from code scans, SBOM, vulnerability checks, and hallucination detection, then evaluates controls with pass/partial/fail/not_evaluated status. Supports evidence persistence for audit trails. See Compliance Evaluation.
New in v4.1.0: SBOM generation and dependency vulnerability analysis — generates CycloneDX v1.5 SBOMs, scans against OSV.dev for CVEs, detects hallucinated packages, compares baselines, and generates HTML audit reports. Supports 8 lock file formats and 7 manifest formats across npm, Python, Go, Rust, Ruby, and Java ecosystems. See SBOM Tools.
New in v4.0.0: LLM-powered semantic code review agent with intent profiling — understands what your project is supposed to do and flags patterns that violate that intent. Same eval() call = safe in a build tool, dangerous in an e-commerce app. Supports Claude CLI (no API key needed!), Anthropic, and OpenAI. See code-review-agent.
New in v3.11.0: ClawHub ecosystem security scanning — scanned all 16,532 ClawHub skills and found 46% have critical vulnerabilities. New scan-clawhub CLI for batch scanning, 40+ prompt injection patterns, jailbreak detection (DAN mode, dev mode), data exfiltration checks. See ClawHub Security Dashboard.
Also in v3.10.0: ClawProof OpenClaw plugin — 6-layer deep skill scanner (scan_skill) with ClawHavoc malware signatures (27 rules, 121 patterns covering reverse shells, crypto miners, info stealers, C2 beacons, and OpenClaw-specific attacks), package supply chain verification, and rug pull...