agent-security-scanner-mcp 4.4.3 → 4.4.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +37 -2
- package/code-review-agent/package.json +1 -1
- package/openclaw.plugin.json +2 -2
- package/package.json +9 -3
- package/server.json +2 -2
- package/templates/github-action-security.yml +31 -0
package/README.md
CHANGED
|
@@ -4,9 +4,9 @@
|
|
|
4
4
|
|
|
5
5
|
# agent-security-scanner-mcp
|
|
6
6
|
|
|
7
|
-
**
|
|
7
|
+
**npm audit for AI agents and MCP servers**
|
|
8
8
|
|
|
9
|
-
|
|
9
|
+
Scan code, MCP tools, prompts, skills, and AI-suggested dependencies before your agent trusts them. Built for Claude Code, Cursor, Windsurf, Cline, OpenClaw, and CI/CD.
|
|
10
10
|
|
|
11
11
|
[](https://www.npmjs.com/package/agent-security-scanner-mcp)
|
|
12
12
|
[](https://www.npmjs.com/package/agent-security-scanner-mcp)
|
|
@@ -18,6 +18,41 @@ Scans code for vulnerabilities, detects hallucinated packages, blocks prompt inj
|
|
|
18
18
|
|
|
19
19
|
---
|
|
20
20
|
|
|
21
|
+
## Start Here
|
|
22
|
+
|
|
23
|
+
Run the agent security smoke test on any repo:
|
|
24
|
+
|
|
25
|
+
```bash
|
|
26
|
+
npx agent-security-scanner-mcp scan-project . --verbosity compact
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
Install it into your AI coding client:
|
|
30
|
+
|
|
31
|
+
```bash
|
|
32
|
+
npx agent-security-scanner-mcp init claude-code
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
Replace `claude-code` with `cursor`, `claude-desktop`, `windsurf`, `cline`, `kilo-code`, `opencode`, or `cody`.
|
|
36
|
+
|
|
37
|
+
### What To Run Before You Trust An Agent
|
|
38
|
+
|
|
39
|
+
```bash
|
|
40
|
+
# Check the whole project and get an A-F security grade
|
|
41
|
+
npx agent-security-scanner-mcp scan-project . --verbosity compact
|
|
42
|
+
|
|
43
|
+
# Audit an MCP server before adding it to Claude/Cursor/Windsurf
|
|
44
|
+
npx agent-security-scanner-mcp scan-mcp ./path/to/mcp-server --verbosity compact
|
|
45
|
+
|
|
46
|
+
# Verify AI-suggested imports are real packages, not hallucinations
|
|
47
|
+
npx agent-security-scanner-mcp scan-packages ./src/app.ts npm --verbosity compact
|
|
48
|
+
|
|
49
|
+
# Add a local environment health check
|
|
50
|
+
npx agent-security-scanner-mcp doctor
|
|
51
|
+
|
|
52
|
+
# Add the scanner to your AI client
|
|
53
|
+
npx agent-security-scanner-mcp init claude-code
|
|
54
|
+
```
|
|
55
|
+
|
|
21
56
|
## 🎯 Two Versions Available
|
|
22
57
|
|
|
23
58
|
### 🔥 ProofLayer (Lightweight) - **NEW!**
|
package/openclaw.plugin.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "agent-security-scanner-mcp",
|
|
3
|
-
"version": "4.
|
|
4
|
-
"description": "
|
|
3
|
+
"version": "4.4.6",
|
|
4
|
+
"description": "npm audit for AI agents and OpenClaw skills: prompt injection firewall, package hallucination detection, MCP/security scanning, and auto-fix",
|
|
5
5
|
"author": "Sinewave AI",
|
|
6
6
|
"license": "MIT",
|
|
7
7
|
"openclaw": {
|
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "agent-security-scanner-mcp",
|
|
3
|
-
"version": "4.4.
|
|
3
|
+
"version": "4.4.6",
|
|
4
4
|
"mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
|
|
5
|
-
"description": "
|
|
5
|
+
"description": "npm audit for AI agents and MCP servers. Scan code, MCP tools, prompts, and hallucinated packages for Claude Code, Cursor, Windsurf, Cline, OpenClaw, and CI.",
|
|
6
6
|
"main": "index.js",
|
|
7
7
|
"type": "module",
|
|
8
8
|
"bin": {
|
|
@@ -20,6 +20,9 @@
|
|
|
20
20
|
"keywords": [
|
|
21
21
|
"mcp",
|
|
22
22
|
"model-context-protocol",
|
|
23
|
+
"npm-audit",
|
|
24
|
+
"agent-audit",
|
|
25
|
+
"agent-security-audit",
|
|
23
26
|
"claude",
|
|
24
27
|
"opencode",
|
|
25
28
|
"kilocode",
|
|
@@ -36,6 +39,9 @@
|
|
|
36
39
|
"hallucination-detection",
|
|
37
40
|
"package-verification",
|
|
38
41
|
"supply-chain-security",
|
|
42
|
+
"mcp-security",
|
|
43
|
+
"mcp-scanner",
|
|
44
|
+
"mcp-audit",
|
|
39
45
|
"prompt-injection",
|
|
40
46
|
"agent-security",
|
|
41
47
|
"llm-security",
|
|
@@ -75,7 +81,7 @@
|
|
|
75
81
|
"dependencies": {
|
|
76
82
|
"@modelcontextprotocol/sdk": "^1.25.3",
|
|
77
83
|
"bloom-filters": "^3.0.4",
|
|
78
|
-
"tar": "^7.5.
|
|
84
|
+
"tar": "^7.5.16",
|
|
79
85
|
"zod": "^4.3.6"
|
|
80
86
|
},
|
|
81
87
|
"files": [
|
package/server.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
|
|
3
3
|
"name": "io.github.sinewaveai/agent-security-scanner-mcp",
|
|
4
|
-
"description": "
|
|
5
|
-
"version": "4.
|
|
4
|
+
"description": "npm audit for AI agents and MCP servers: scan code, MCP tools, prompts, and hallucinated packages before agents trust them.",
|
|
5
|
+
"version": "4.4.6",
|
|
6
6
|
"transport": "stdio",
|
|
7
7
|
"registry": "npm"
|
|
8
8
|
}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
name: Agent Security Scan
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
pull_request:
|
|
5
|
+
push:
|
|
6
|
+
branches: [main]
|
|
7
|
+
schedule:
|
|
8
|
+
- cron: "0 9 * * 1"
|
|
9
|
+
|
|
10
|
+
permissions:
|
|
11
|
+
contents: read
|
|
12
|
+
security-events: write
|
|
13
|
+
pull-requests: write
|
|
14
|
+
|
|
15
|
+
jobs:
|
|
16
|
+
agent-security:
|
|
17
|
+
name: Scan AI agent, MCP, and supply-chain risk
|
|
18
|
+
runs-on: ubuntu-latest
|
|
19
|
+
|
|
20
|
+
steps:
|
|
21
|
+
- uses: actions/checkout@v4
|
|
22
|
+
with:
|
|
23
|
+
fetch-depth: 0
|
|
24
|
+
|
|
25
|
+
- uses: sinewaveai/agent-security-scanner-mcp/.github/actions/security-scan@main
|
|
26
|
+
with:
|
|
27
|
+
severity_threshold: warning
|
|
28
|
+
scan_packages: "true"
|
|
29
|
+
scan_diff_only: "true"
|
|
30
|
+
upload_sarif: "true"
|
|
31
|
+
|