agent-security-scanner-mcp

Overview

The agent-security-scanner-mcp provides comprehensive security scanning for AI coding agents and autonomous assistants. It offers two versions: a lightweight ProofLayer scanner (81.5KB, 4-second install) with 400+ security rules, and a full enterprise-grade version with AST analysis, taint tracking, and LLM-powered semantic code review. The scanner includes tools for detecting vulnerabilities, preventing AI-hallucinated packages, blocking prompt injection attacks, and generating compliance reports. It integrates with multiple AI clients through MCP and provides CLI functionality for CI/CD pipelines.

Try asking AI

After installing, here are 6 things you can ask your AI assistant:

• scan_security

  Scan code for vulnerabilities (1700+ rules, 12 languages) with AST and taint analysis

  Try:Scan this code for security vulnerabilitiesTry:Check for security issues in my JavaScript file
• fix_security

  Auto-fix all detected vulnerabilities (120 fix templates)

  Try:Fix the security issues you foundTry:Automatically resolve these vulnerabilities
• scan_git_diff

  Scan only changed files in git diff

  Try:Scan the changes for security issuesTry:Check this diff for vulnerabilities
• scan_project

  Scan entire project with A-F security grading

  Try:Give my project a security gradeTry:Audit the entire codebase for security
• check_package

  Verify a package name isn't AI-hallucinated (4.3M+ packages)

  Try:Is this package name real?Try:Check if this dependency exists
• scan_packages

  Bulk-check all imports in a file for hallucinated packages

  Try:Scan all imports in this fileTry:Check these dependencies for hallucinations
• scan_agent_prompt

  Detect prompt injection with bypass hardening (59 rules + multi-encoding)

  Try:Check this prompt for injection attemptsTry:Scan these instructions for manipulation
• scan_agent_action

  Pre-execution safety check for agent actions (bash, file ops, HTTP)

  Try:Is this command safe to execute?Try:Check this file operation for security risks
• scan_mcp_server

  Scan MCP server source for vulnerabilities: unicode poisoning, name spoofing

  Try:Analyze this MCP server for security issuesTry:Scan this server for potential vulnerabilities
• scan_skill

  Deep security scan of an OpenClaw skill: prompt injection, AST+taint code analysis

  Try:Scan this OpenClaw skill for security issuesTry:Check this skill for malicious code
• sbom_generate

  Generate CycloneDX v1.5 SBOM for a project

  Try:Generate a SBOM for this projectTry:Create a bill of materials for my dependencies
• evaluate_compliance

  Evaluate project against compliance frameworks with evidence collection

  Try:Check this project for SOC2 complianceTry:Evaluate against GDPR technical requirements

Comparable tools

Installation

npm install -g agent-security-scanner-mcp

npm install -g @prooflayer/security-scanner

npx agent-security-scanner-mcp init claude-code

FAQ

What AI clients does this scanner support?

The scanner supports Claude Code, Cursor, Windsurf, Cline, Claude Desktop, kilo-code, opencode, and cody through MCP integration. It also provides a standalone CLI (OpenClaw) for CI/CD pipelines.

How does it detect AI-hallucinated packages?

The scanner maintains a database of 4.3M+ legitimate packages and uses bloom filters for verification. When checking imports, it flags any package not found in official registries as potentially hallucinated.

Compare agent-security-scanner-mcp with