Agent Scan
Security scanner for AI agents, MCP servers and agent skills.
What is Agent Scan?
Agent Scan is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to security scanner for ai agents, mcp servers and agent skills.
Security scanner for AI agents, MCP servers and agent skills.
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Security scanner for AI agents, MCP servers and agent skills
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx agent-scanConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Agent Scan
Agent Scan is Snyk's open-source security scanner specifically built for AI agent ecosystems — it discovers MCP server configurations across all major coding environments (Claude Desktop, Cursor, Windsurf, VS Code, Amazon Q, and others), scans them for 15+ distinct security risks including prompt injection, tool poisoning, malware payloads, and hardcoded secrets, and reports actionable findings. Security engineers and development teams use it to audit their AI toolchains before deploying agents in production, or to continuously validate that newly installed MCP servers do not introduce supply chain vulnerabilities.
Prerequisites
- Python 3.9+ and the uv package manager installed
- A Snyk account with an API token from https://app.snyk.io/account
- At least one MCP client installed (Claude Desktop, Cursor, VS Code, etc.) for auto-discovery to work
- Optional: Docker or a VM sandbox for scanning untrusted third-party MCP configurations safely
Obtain your Snyk API token
Log in to your Snyk account at https://app.snyk.io/account and copy your personal API token from the Account Settings page.
Set the SNYK_TOKEN environment variable
Export your Snyk token so that agent-scan can authenticate with the Snyk platform when checking packages and scanning results.
export SNYK_TOKEN=your-snyk-api-token-hereRun a full machine scan with uvx
Use uvx to run the latest agent-scan without installing it. It will auto-discover MCP server configurations across all supported tools on your machine.
uvx snyk-agent-scan@latestScan a specific MCP configuration file
Target a single config file for scanning, useful when reviewing a newly added MCP server before enabling it.
uvx snyk-agent-scan@latest ~/.config/claude/claude_desktop_config.jsonScan agent skills directories
In addition to MCP config files, agent-scan can audit agent skill directories for security issues.
uvx snyk-agent-scan@latest ~/.claude/skillsRun in CI/CD non-interactive mode
For automated pipelines, pass the --dangerously-run-mcp-servers flag to allow server execution during scanning (use only in isolated environments).
uvx snyk-agent-scan@latest --dangerously-run-mcp-serversAgent Scan Examples
Client configuration
Add agent-scan as an MCP server so your AI assistant can trigger scans on demand.
{
"mcpServers": {
"agent-scan": {
"command": "uvx",
"args": ["snyk-agent-scan@latest", "--mcp"],
"env": {
"SNYK_TOKEN": "your-snyk-api-token-here"
}
}
}
}Prompts to try
Example prompts and CLI commands for security scanning workflows.
- Run: uvx snyk-agent-scan@latest (full auto-discovery scan of your machine)
- "Scan all my MCP configurations and report any prompt injection risks."
- "Check ~/.vscode/mcp.json for hardcoded secrets or malicious tool definitions."
- Run: uvx snyk-agent-scan@latest --no-skills (skip agent skills, only scan MCP configs)
- Run: uvx snyk-agent-scan@latest inspect (examine configs without executing servers)Troubleshooting Agent Scan
Scan fails with 'authentication error' or '401 Unauthorized'
Verify that SNYK_TOKEN is exported in your current shell and contains a valid token from https://app.snyk.io/account. Tokens can expire; generate a new one if needed.
No MCP configurations are discovered even though you have Claude Desktop installed
Agent-scan looks for configs in standard locations (e.g., ~/Library/Application Support/Claude/ on macOS). If your config is in a non-standard path, pass it explicitly: 'uvx snyk-agent-scan@latest /custom/path/claude_desktop_config.json'.
Scanning reports a false positive for a trusted MCP server
Use 'uvx snyk-agent-scan@latest inspect' to review the raw detection reasoning. You can also use '--no-skills' to narrow the scan scope and isolate which finding is triggering the alert.
Frequently Asked Questions about Agent Scan
What is Agent Scan?
Agent Scan is a Model Context Protocol (MCP) server that security scanner for ai agents, mcp servers and agent skills. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Agent Scan?
Follow the installation instructions on the Agent Scan GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Agent Scan?
Agent Scan works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Agent Scan free to use?
Yes, Agent Scan is open source and available under the Apache-2.0 license. You can use it freely in both personal and commercial projects.
Agent Scan Alternatives — Similar Security Servers
Looking for alternatives to Agent Scan? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Agent Scan in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Agent Scan?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.