agent-security-scanner-mcp 1.2.0 → 1.3.0

package/README.md

@@ -2,7 +2,14 @@
 
 A powerful MCP (Model Context Protocol) server for real-time security vulnerability scanning. Integrates with Claude Desktop, Claude Code, OpenCode.ai, Kilo Code, and any MCP-compatible client to automatically detect and fix security issues as you code.
 
-**275 Semgrep-aligned security rules | 105 auto-fix templates | 100% fix coverage | Package hallucination detection**
+**275+ Semgrep-aligned security rules | 105 auto-fix templates | 100% fix coverage | Package hallucination detection | AI Agent prompt security**
+
+## What's New in v1.3.0
+
+- **AI Agent Prompt Security** - New `scan_agent_prompt` tool to detect malicious prompts before execution
+- **56 prompt attack detection rules** - Exfiltration, backdoor requests, social engineering, jailbreaks
+- **Risk scoring engine** - BLOCK/WARN/LOG/ALLOW actions with 0-100 risk scores
+- **Prompt injection detection** - 39 rules for LLM prompt injection patterns
 
 ## What's New in v1.2.0
 
@@ -215,6 +222,89 @@ List all 105 available auto-fix templates.
 
 ---
 
+## AI Agent Prompt Security
+
+Protect AI coding agents (Claude Code, Cursor, Copilot, etc.) from malicious prompts before execution. Detects exfiltration attempts, backdoor requests, social engineering, and obfuscated attacks.
+
+### `scan_agent_prompt`
+
+Scan a prompt for malicious intent before allowing an AI agent to execute it.
+
+```
+Parameters:
+  prompt_text (string): The prompt text to analyze
+  context (object, optional):
+    - sensitivity_level: "high" | "medium" | "low" (default: "medium")
+
+Returns:
+  - action: "BLOCK" | "WARN" | "LOG" | "ALLOW"
+  - risk_score: 0-100
+  - risk_level: "CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "NONE"
+  - findings: Array of detected issues
+  - explanation: Human-readable summary
+  - recommendations: Suggested actions
+```
+
+**Risk Thresholds:**
+
+| Risk Level | Score Range | Action |
+|------------|-------------|--------|
+| CRITICAL | 85-100 | BLOCK |
+| HIGH | 70-84 | BLOCK |
+| MEDIUM | 50-69 | WARN |
+| LOW | 25-49 | LOG |
+| NONE | 0-24 | ALLOW |
+
+**Example - Malicious prompt (BLOCKED):**
+```json
+{
+  "action": "BLOCK",
+  "risk_score": 100,
+  "risk_level": "CRITICAL",
+  "findings": [
+    {
+      "rule_id": "agent.injection.security.backdoor-request",
+      "category": "malicious-injection",
+      "severity": "error",
+      "message": "Request to add backdoor or hidden access mechanism",
+      "matched_text": "add a hidden backdoor",
+      "confidence": "high"
+    }
+  ],
+  "explanation": "Detected 1 potential security issue(s) in prompt",
+  "recommendations": [
+    "Do not execute this prompt",
+    "Review the flagged patterns",
+    "Report if this appears to be an attack attempt"
+  ]
+}
+```
+
+**Example - Safe prompt (ALLOWED):**
+```json
+{
+  "action": "ALLOW",
+  "risk_score": 0,
+  "risk_level": "NONE",
+  "findings": [],
+  "explanation": "No security issues detected in prompt",
+  "recommendations": []
+}
+```
+
+**Attack Categories Detected (56 rules):**
+
+| Category | Rules | Examples |
+|----------|-------|----------|
+| Exfiltration | 10 | Send code to webhook, read .env files, push to external repo |
+| Malicious Injection | 11 | Add backdoor, create reverse shell, disable authentication |
+| System Manipulation | 9 | rm -rf /, modify /etc/passwd, add cron persistence |
+| Social Engineering | 6 | Fake authorization claims, fake debug mode, urgency pressure |
+| Obfuscation | 4 | Base64 encoded commands, ROT13, fragmented instructions |
+| Agent Manipulation | 3 | Ignore previous instructions, override safety, DAN jailbreaks |
+
+---
+
 ## Package Hallucination Detection
 
 Detect AI-hallucinated package names that don't exist in official registries. Prevents supply chain attacks where attackers register fake package names suggested by AI.

package/analyzer.py

@@ -32,6 +32,13 @@ EXTENSION_MAP = {
     '.json': 'json',
     '.tf': 'terraform',
     '.hcl': 'terraform',
+    # Prompt/text file extensions for prompt injection scanning
+    '.txt': 'generic',
+    '.md': 'generic',
+    '.prompt': 'generic',
+    '.jinja': 'generic',
+    '.jinja2': 'generic',
+    '.j2': 'generic',
 }
 
 def detect_language(file_path):

package/index.js

@@ -606,6 +606,109 @@ const FIX_TEMPLATES = {
     }
   },
 
+  // ===========================================
+  // PROMPT INJECTION - LLM SECURITY
+  // ===========================================
+  "prompt-injection": {
+    description: "Sanitize user input before including in LLM prompts",
+    fix: (line, lang) => {
+      if (lang === 'python') {
+        return line
+          .replace(/f["']([^"']*)\{([^}]+)\}([^"']*)["']/, '"$1{sanitized}$3".format(sanitized=sanitize_prompt_input($2))')
+          .replace(/\+\s*(\w+)/, '+ sanitize_prompt_input($1)');
+      }
+      return line
+        .replace(/`([^`]*)\$\{([^}]+)\}([^`]*)`/, '`$1${sanitizePromptInput($2)}$3`')
+        .replace(/\+\s*(\w+)/, '+ sanitizePromptInput($1)');
+    }
+  },
+  "openai-unsafe-fstring": {
+    description: "Sanitize user input before including in OpenAI prompts",
+    fix: (line, lang) => {
+      if (lang === 'python') {
+        return line.replace(
+          /content\s*:\s*f["']([^"']*)["']/,
+          'content: sanitize_llm_input(f"$1")'
+        );
+      }
+      return line.replace(/content\s*:\s*`([^`]*)`/, 'content: sanitizePromptInput(`$1`)');
+    }
+  },
+  "anthropic-unsafe-fstring": {
+    description: "Sanitize user input before including in Anthropic prompts",
+    fix: (line, lang) => {
+      if (lang === 'python') {
+        return line.replace(
+          /content\s*=\s*f["']([^"']*)["']/,
+          'content=sanitize_llm_input(f"$1")'
+        );
+      }
+      return line.replace(/content\s*:\s*`([^`]*)`/, 'content: sanitizePromptInput(`$1`)');
+    }
+  },
+  "langchain-unsafe-template": {
+    description: "Use input validation for LangChain template variables",
+    fix: (line) => '# TODO: Sanitize template variables before use\n' + line
+  },
+  "langchain-chain-unsafe": {
+    description: "Validate user input before LangChain chain execution",
+    fix: (line, lang) => {
+      if (lang === 'python') {
+        return line.replace(/\.run\s*\(\s*(\w+)/, '.run(sanitize_chain_input($1)');
+      }
+      return line.replace(/\.invoke\s*\(\s*(\w+)/, '.invoke(sanitizeChainInput($1)');
+    }
+  },
+  "langchain-agent-unsafe": {
+    description: "Validate user input before LangChain agent execution",
+    fix: (line) => '# SECURITY: Validate and sanitize user input before agent execution\n' + line
+  },
+  "eval-llm-response": {
+    description: "CRITICAL: Never eval() LLM responses - use JSON parsing or ast.literal_eval for safe subset",
+    fix: (line, lang) => {
+      if (lang === 'python') {
+        return line.replace(/eval\s*\(\s*(\w+)/, 'ast.literal_eval($1  # SECURITY: Use safe parsing only');
+      }
+      return line.replace(/eval\s*\(\s*(\w+)/, 'JSON.parse($1  /* SECURITY: Use safe JSON parsing */');
+    }
+  },
+  "exec-llm-response": {
+    description: "CRITICAL: Never exec() LLM responses - remove or use sandboxed execution",
+    fix: (line) => '# SECURITY CRITICAL: Removed dangerous exec() of LLM response\n# ' + line
+  },
+  "function-constructor": {
+    description: "CRITICAL: Never use new Function() with LLM responses",
+    fix: (line) => '// SECURITY CRITICAL: Removed dangerous Function constructor with LLM response\n// ' + line
+  },
+  "pickle-llm-response": {
+    description: "Use JSON instead of pickle for LLM response deserialization",
+    fix: (line) => line.replace(/pickle\.(loads?)\s*\(/, 'json.$1(')
+  },
+  "ignore-previous-instructions": {
+    description: "Detected prompt injection pattern - sanitize or reject this input",
+    fix: (line) => '# SECURITY: Detected prompt injection attempt - INPUT SHOULD BE REJECTED\n# ' + line
+  },
+  "jailbreak-dan": {
+    description: "Detected DAN jailbreak attempt - reject this input",
+    fix: (line) => '# SECURITY: Detected jailbreak attempt - INPUT REJECTED\n# ' + line
+  },
+  "jailbreak-roleplay": {
+    description: "Detected role-play jailbreak attempt - sanitize or reject",
+    fix: (line) => '# SECURITY: Potential jailbreak via role-play - validate input\n# ' + line
+  },
+  "system-prompt-extraction": {
+    description: "Detected system prompt extraction attempt - reject this input",
+    fix: (line) => '# SECURITY: System prompt extraction attempt blocked\n# ' + line
+  },
+  "delimiter-injection": {
+    description: "Detected delimiter injection - escape special characters or reject",
+    fix: (line) => '# SECURITY: Delimiter injection blocked - escape special tokens\n# ' + line
+  },
+  "context-manipulation": {
+    description: "Detected context manipulation attempt - validate input",
+    fix: (line) => '# SECURITY: Context manipulation detected - validate user input\n# ' + line
+  },
+
   // ===========================================
   // ADDITIONAL SECURITY FIXES
   // ===========================================
@@ -629,7 +732,10 @@ function detectLanguage(filePath) {
   const langMap = {
     'py': 'python', 'js': 'javascript', 'ts': 'typescript',
     'tsx': 'typescript', 'jsx': 'javascript', 'java': 'java',
-    'go': 'go', 'rb': 'ruby', 'php': 'php'
+    'go': 'go', 'rb': 'ruby', 'php': 'php',
+    // Prompt/text file extensions for prompt injection scanning
+    'txt': 'generic', 'md': 'generic', 'prompt': 'generic',
+    'jinja': 'generic', 'jinja2': 'generic', 'j2': 'generic'
   };
   return langMap[ext] || 'generic';
 }
@@ -1050,6 +1156,407 @@ server.tool(
   }
 );
 
+// ===========================================
+// AGENT PROMPT SECURITY SCANNING
+// ===========================================
+
+// Risk thresholds for action determination
+const RISK_THRESHOLDS = {
+  CRITICAL: 85,
+  HIGH: 70,
+  MEDIUM: 50,
+  LOW: 25
+};
+
+// Category weights for risk calculation
+const CATEGORY_WEIGHTS = {
+  "exfiltration": 1.0,
+  "malicious-injection": 1.0,
+  "system-manipulation": 1.0,
+  "social-engineering": 0.8,
+  "obfuscation": 0.7,
+  "agent-manipulation": 0.9,
+  "prompt-injection": 0.9,
+  "prompt-injection-content": 0.9,
+  "prompt-injection-jailbreak": 0.85,
+  "prompt-injection-extraction": 0.9,
+  "prompt-injection-delimiter": 0.8
+};
+
+// Confidence multipliers
+const CONFIDENCE_MULTIPLIERS = {
+  "HIGH": 1.0,
+  "MEDIUM": 0.7,
+  "LOW": 0.4
+};
+
+// Load agent attack rules from YAML
+function loadAgentAttackRules() {
+  try {
+    const rulesPath = join(__dirname, 'rules', 'agent-attacks.security.yaml');
+    if (!existsSync(rulesPath)) {
+      console.error("Agent attack rules file not found");
+      return [];
+    }
+
+    const yaml = readFileSync(rulesPath, 'utf-8');
+    const rules = [];
+
+    // Simple YAML parsing for rules
+    const ruleBlocks = yaml.split(/^  - id:/m).slice(1);
+
+    for (const block of ruleBlocks) {
+      const lines = ('  - id:' + block).split('\n');
+      const rule = {
+        id: '',
+        severity: 'WARNING',
+        message: '',
+        patterns: [],
+        metadata: {}
+      };
+
+      let inPatterns = false;
+      let inMetadata = false;
+
+      for (const line of lines) {
+        if (line.match(/^\s+- id:\s*/)) {
+          rule.id = line.replace(/^\s+- id:\s*/, '').trim();
+        } else if (line.match(/^\s+severity:\s*/)) {
+          rule.severity = line.replace(/^\s+severity:\s*/, '').trim();
+        } else if (line.match(/^\s+message:\s*/)) {
+          rule.message = line.replace(/^\s+message:\s*["']?/, '').replace(/["']$/, '').trim();
+        } else if (line.match(/^\s+patterns:\s*$/)) {
+          inPatterns = true;
+          inMetadata = false;
+        } else if (line.match(/^\s+metadata:\s*$/)) {
+          inPatterns = false;
+          inMetadata = true;
+        } else if (inPatterns && line.match(/^\s+- /)) {
+          let pattern = line.replace(/^\s+- /, '').trim();
+          pattern = pattern.replace(/^["']|["']$/g, '');
+          // Strip Python-style inline flags - JS doesn't support them
+          pattern = pattern.replace(/^\(\?i\)/, '');
+          // Unescape double backslashes from YAML (\\s -> \s)
+          pattern = pattern.replace(/\\\\/g, '\\');
+          if (pattern) rule.patterns.push(pattern);
+        } else if (inMetadata && line.match(/^\s+\w+:/)) {
+          const match = line.match(/^\s+(\w+):\s*["']?([^"'\n]+)["']?/);
+          if (match) {
+            rule.metadata[match[1]] = match[2].trim();
+          }
+        } else if (line.match(/^\s+languages:/)) {
+          inPatterns = false;
+          inMetadata = false;
+        }
+      }
+
+      if (rule.id && rule.patterns.length > 0) {
+        rules.push(rule);
+      }
+    }
+
+    return rules;
+  } catch (error) {
+    console.error("Error loading agent attack rules:", error.message);
+    return [];
+  }
+}
+
+// Also load prompt injection rules
+function loadPromptInjectionRules() {
+  try {
+    const rulesPath = join(__dirname, 'rules', 'prompt-injection.security.yaml');
+    if (!existsSync(rulesPath)) {
+      return [];
+    }
+
+    const yaml = readFileSync(rulesPath, 'utf-8');
+    const rules = [];
+
+    const ruleBlocks = yaml.split(/^  - id:/m).slice(1);
+
+    for (const block of ruleBlocks) {
+      const lines = ('  - id:' + block).split('\n');
+      const rule = {
+        id: '',
+        severity: 'WARNING',
+        message: '',
+        patterns: [],
+        metadata: {}
+      };
+
+      let inPatterns = false;
+      let inMetadata = false;
+
+      for (const line of lines) {
+        if (line.match(/^\s+- id:\s*/)) {
+          rule.id = line.replace(/^\s+- id:\s*/, '').trim();
+        } else if (line.match(/^\s+severity:\s*/)) {
+          rule.severity = line.replace(/^\s+severity:\s*/, '').trim();
+        } else if (line.match(/^\s+message:\s*/)) {
+          rule.message = line.replace(/^\s+message:\s*["']?/, '').replace(/["']$/, '').trim();
+        } else if (line.match(/^\s+patterns:\s*$/)) {
+          inPatterns = true;
+          inMetadata = false;
+        } else if (line.match(/^\s+metadata:\s*$/)) {
+          inPatterns = false;
+          inMetadata = true;
+        } else if (inPatterns && line.match(/^\s+- /)) {
+          let pattern = line.replace(/^\s+- /, '').trim();
+          pattern = pattern.replace(/^["']|["']$/g, '');
+          // Strip Python-style inline flags - JS doesn't support them
+          pattern = pattern.replace(/^\(\?i\)/, '');
+          // Unescape double backslashes from YAML (\\s -> \s)
+          pattern = pattern.replace(/\\\\/g, '\\');
+          if (pattern) rule.patterns.push(pattern);
+        } else if (inMetadata && line.match(/^\s+\w+:/)) {
+          const match = line.match(/^\s+(\w+):\s*["']?([^"'\n]+)["']?/);
+          if (match) {
+            rule.metadata[match[1]] = match[2].trim();
+          }
+        }
+      }
+
+      // Only include generic rules (content patterns, not code patterns)
+      if (rule.id && rule.patterns.length > 0 && rule.id.startsWith('generic.prompt')) {
+        rules.push(rule);
+      }
+    }
+
+    return rules;
+  } catch (error) {
+    console.error("Error loading prompt injection rules:", error.message);
+    return [];
+  }
+}
+
+// Calculate risk score from findings
+function calculateRiskScore(findings, context) {
+  if (findings.length === 0) return 0;
+
+  let totalScore = 0;
+
+  for (const finding of findings) {
+    const riskScore = parseInt(finding.risk_score) || 50;
+    const category = finding.category || 'unknown';
+    const confidence = finding.confidence || 'MEDIUM';
+
+    const categoryWeight = CATEGORY_WEIGHTS[category] || 0.5;
+    const confidenceMultiplier = CONFIDENCE_MULTIPLIERS[confidence] || 0.7;
+
+    totalScore += (riskScore / 100) * categoryWeight * confidenceMultiplier * 100;
+  }
+
+  // Average the scores but boost for multiple findings
+  let avgScore = totalScore / findings.length;
+
+  // Boost score if multiple findings (compound risk)
+  if (findings.length > 1) {
+    avgScore = Math.min(100, avgScore * (1 + (findings.length - 1) * 0.1));
+  }
+
+  // Apply sensitivity adjustment
+  if (context?.sensitivity_level === 'high') {
+    avgScore = Math.min(100, avgScore * 1.2);
+  } else if (context?.sensitivity_level === 'low') {
+    avgScore = avgScore * 0.8;
+  }
+
+  return Math.round(avgScore);
+}
+
+// Determine action based on risk score and findings
+function determineAction(riskScore, findings) {
+  // Check for any BLOCK action findings
+  const hasBlockFinding = findings.some(f => f.action === 'BLOCK');
+  if (hasBlockFinding || riskScore >= RISK_THRESHOLDS.CRITICAL) {
+    return 'BLOCK';
+  }
+
+  if (riskScore >= RISK_THRESHOLDS.HIGH) {
+    return 'BLOCK';
+  }
+
+  const hasWarnFinding = findings.some(f => f.action === 'WARN');
+  if (hasWarnFinding || riskScore >= RISK_THRESHOLDS.MEDIUM) {
+    return 'WARN';
+  }
+
+  const hasLogFinding = findings.some(f => f.action === 'LOG');
+  if (hasLogFinding || riskScore >= RISK_THRESHOLDS.LOW) {
+    return 'LOG';
+  }
+
+  return 'ALLOW';
+}
+
+// Determine risk level from score
+function getRiskLevel(score) {
+  if (score >= RISK_THRESHOLDS.CRITICAL) return 'CRITICAL';
+  if (score >= RISK_THRESHOLDS.HIGH) return 'HIGH';
+  if (score >= RISK_THRESHOLDS.MEDIUM) return 'MEDIUM';
+  if (score >= RISK_THRESHOLDS.LOW) return 'LOW';
+  return 'NONE';
+}
+
+// Generate explanation from findings
+function generateExplanation(findings, action) {
+  if (findings.length === 0) {
+    return 'No security concerns detected in this prompt.';
+  }
+
+  const categories = [...new Set(findings.map(f => f.category))];
+  const severity = findings.some(f => f.severity === 'ERROR') ? 'critical' : 'potential';
+
+  let explanation = `Detected ${findings.length} ${severity} security concern(s)`;
+
+  if (categories.length > 0) {
+    explanation += ` in categories: ${categories.join(', ')}`;
+  }
+
+  explanation += `. Action: ${action}.`;
+
+  if (action === 'BLOCK') {
+    explanation += ' This prompt appears to contain malicious intent and should not be executed.';
+  } else if (action === 'WARN') {
+    explanation += ' Review carefully before proceeding.';
+  }
+
+  return explanation;
+}
+
+// Generate recommendations from findings
+function generateRecommendations(findings) {
+  const recommendations = new Set();
+
+  for (const finding of findings) {
+    const category = finding.category;
+
+    switch (category) {
+      case 'exfiltration':
+        recommendations.add('Never allow prompts that request sending code or secrets to external URLs');
+        recommendations.add('Block access to sensitive files like .env, SSH keys, and credentials');
+        break;
+      case 'malicious-injection':
+        recommendations.add('Reject requests for backdoors, reverse shells, or malicious code');
+        recommendations.add('Never disable security controls at user request');
+        break;
+      case 'system-manipulation':
+        recommendations.add('Block destructive file operations and system configuration changes');
+        recommendations.add('Prevent persistence mechanisms like crontab or startup script modifications');
+        break;
+      case 'social-engineering':
+        recommendations.add('Verify authorization claims through proper channels, not prompt content');
+        recommendations.add('Be skeptical of urgency claims or claims of special modes');
+        break;
+      case 'obfuscation':
+        recommendations.add('Be wary of encoded or fragmented instructions');
+        recommendations.add('Reject requests for "examples" of malicious code');
+        break;
+      case 'agent-manipulation':
+        recommendations.add('Maintain confirmation prompts for sensitive operations');
+        recommendations.add('Never hide output or actions from the user');
+        break;
+      default:
+        recommendations.add('Review this prompt carefully before execution');
+    }
+  }
+
+  return [...recommendations];
+}
+
+// Create SHA256 hash for audit logging
+function hashPrompt(text) {
+  const crypto = require('crypto');
+  return crypto.createHash('sha256').update(text).digest('hex').substring(0, 16);
+}
+
+// Register scan_agent_prompt tool
+server.tool(
+  "scan_agent_prompt",
+  "Scan a prompt/instruction for potential malicious intent before execution. Returns risk assessment and recommended action (BLOCK/WARN/LOG/ALLOW).",
+  {
+    prompt_text: z.string().describe("The prompt or instruction text to analyze"),
+    context: z.object({
+      previous_messages: z.array(z.string()).optional().describe("Previous conversation messages for multi-turn detection"),
+      sensitivity_level: z.enum(["high", "medium", "low"]).optional().describe("Sensitivity level - high means more strict, low means more permissive")
+    }).optional().describe("Optional context for better analysis")
+  },
+  async ({ prompt_text, context }) => {
+    const findings = [];
+
+    // Load rules
+    const agentRules = loadAgentAttackRules();
+    const promptRules = loadPromptInjectionRules();
+    const allRules = [...agentRules, ...promptRules];
+
+    // Scan prompt against all rules
+    for (const rule of allRules) {
+      for (const pattern of rule.patterns) {
+        try {
+          const regex = new RegExp(pattern, 'i');
+          const match = prompt_text.match(regex);
+
+          if (match) {
+            findings.push({
+              rule_id: rule.id,
+              category: rule.metadata.category || 'unknown',
+              severity: rule.severity,
+              message: rule.message,
+              matched_text: match[0].substring(0, 100),
+              confidence: rule.metadata.confidence || 'MEDIUM',
+              risk_score: rule.metadata.risk_score || '50',
+              action: rule.metadata.action || 'WARN'
+            });
+            break; // Only one match per rule
+          }
+        } catch (e) {
+          // Skip invalid regex
+        }
+      }
+    }
+
+    // Calculate risk score
+    const riskScore = calculateRiskScore(findings, context);
+    const action = determineAction(riskScore, findings);
+    const riskLevel = getRiskLevel(riskScore);
+    const explanation = generateExplanation(findings, action);
+    const recommendations = generateRecommendations(findings);
+
+    // Create audit info
+    const audit = {
+      timestamp: new Date().toISOString(),
+      prompt_hash: hashPrompt(prompt_text),
+      prompt_length: prompt_text.length,
+      rules_checked: allRules.length,
+      context_provided: !!context
+    };
+
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          action,
+          risk_score: riskScore,
+          risk_level: riskLevel,
+          findings_count: findings.length,
+          findings: findings.map(f => ({
+            rule_id: f.rule_id,
+            category: f.category,
+            severity: f.severity,
+            message: f.message,
+            matched_text: f.matched_text,
+            confidence: f.confidence
+          })),
+          explanation,
+          recommendations,
+          audit
+        }, null, 2)
+      }]
+    };
+  }
+);
+
 // Load package lists on module initialization
 loadPackageLists();
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "1.2.0",
-  "description": "MCP server for security scanning & package hallucination detection. Works with Claude Desktop, Claude Code, OpenCode, Kilo Code. Detects SQL injection, XSS, secrets, and AI-invented packages.",
+  "version": "1.3.0",
+  "description": "MCP server for security scanning, AI agent prompt security & package hallucination detection. Works with Claude Desktop, Claude Code, OpenCode, Kilo Code. Detects SQL injection, XSS, secrets, prompt attacks, and AI-invented packages.",
   "main": "index.js",
   "type": "module",
   "bin": {
@@ -26,7 +26,11 @@
     "secrets-detection",
     "hallucination-detection",
     "package-verification",
-    "supply-chain-security"
+    "supply-chain-security",
+    "prompt-injection",
+    "agent-security",
+    "llm-security",
+    "ai-safety"
   ],
   "author": "",
   "license": "MIT",