DEV.co
MCP Servers · snyk

agent-scan

Agent Scan is a Python-based security scanner from Snyk that discovers and audits AI agent components (MCP servers, agent skills) on your machine for vulnerabilities like prompt injection and malware. It auto-detects configurations across 12+ agents including Claude, Cursor, and Windsurf, and reports 15+ risk types across multiple OS platforms.

Source: GitHub — github.com/snyk/agent-scan
2.8k
GitHub stars
244
Forks
Python
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorysnyk/agent-scan
Ownersnyk
Primary languagePython
LicenseApache-2.0 — OSI-approved
Stars2.8k
Forks244
Open issues3
Latest releasev0.5.12 (2026-06-23)
Last updated2026-07-07
Sourcehttps://github.com/snyk/agent-scan

What agent-scan is

CLI tool that performs static and dynamic analysis of MCP server configurations and agent skill definitions, executing stdio MCP servers during interactive scans to validate tool descriptions and detect prompt injection, tool poisoning, toxic flows, and credential handling issues. Requires Snyk API token for analysis and reports structured findings via experimental CLI output.

Quickstart

Get the agent-scan source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/snyk/agent-scan.gitcd agent-scan# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Agent Security Posture Discovery

Automatically inventory all installed AI agent components (Claude, Cursor, Windsurf, etc.) and their MCP servers/skills across macOS, Linux, and Windows, providing visibility into supply chain risk without manual enumeration.

Prompt Injection & Tool Poisoning Detection

Scan MCP server tool definitions and agent skills for prompt injection vectors, tool shadowing, malware payloads, and hardcoded secrets before they interact with sensitive data or execute unvalidated commands.

Enterprise Agent Risk Management

For organizations deploying agents at scale, integrate with Snyk's Evo platform (enterprise mode, stable API) to centrally manage agent security risk across teams and enforce policy on skill and MCP server adoption.

Implementation considerations

  • Requires Snyk account creation and API token (free tier available) before any scan; set SNYK_TOKEN environment variable before invocation.
  • Install via `uvx snyk-agent-scan@latest` (Python-based, requires uv package manager); supports Python 3.x versions (exact minimum version not specified in data).
  • Interactive mode requires explicit user consent (y/n) before each MCP server starts; use `--dangerously-run-mcp-servers` flag only in trusted environments to bypass consent.
  • CLI output is experimental; if enterprise deployment, contact Snyk account team for stable integration guidance (underlying Evo platform integration is stable).
  • Auto-discovers configs across multiple OS-specific paths (e.g., ~/.claude, ~/.config, ProgramData on Windows); detection coverage varies by agent and component type (see README matrix).

When to avoid it — and what to weigh

  • Production CLI Dependency — Do not build production workflows that depend on specific CLI output fields, issue codes, or response structure—README explicitly states these are experimental and subject to breaking change between releases.
  • Untrusted MCP Configs Without Sandboxing — Avoid running scans on untrusted third-party MCP configurations without sandboxing (Docker, VM); scanning executes the stdio MCP server commands defined in configs, creating execution risk if configs are malicious.
  • No SCA or General-Purpose Vulnerability Scanning — Agent Scan is agent-component-specific; it is not a general-purpose software composition analysis (SCA) tool. Do not use it as a replacement for dependency scanning or CVE detection in application code.
  • Offline or Air-Gapped Environments — Requires Snyk API token and external connectivity; cannot function offline. Not suitable for fully air-gapped or restricted-network deployments.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and no liability warranty.

Apache-2.0 permits commercial use of the scanner itself. However, Snyk requires API token authentication against its backend service; review Snyk's commercial terms and data handling policies separately. Enterprise customers have dedicated support and stable API contracts.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Execution Risk: Scanning MCP configs requires starting stdio servers, executing arbitrary commands from config files; requires user consent in interactive mode and sandboxing for untrusted sources. No explicit audit log, attestation, or supply-chain provenance mentioned. Snyk's backend processes agent configs; review data residency and privacy terms separately. Scanner detects prompt injection and malware payloads in skills but is itself subject to regular updates; keep token and tool current.

Alternatives to consider

Snyk Code/Container/IaC (general SCA tools)

Snyk's broader suite for general dependency and infrastructure scanning; complementary but not agent-ecosystem-specific. Mismatched for MCP server and agent skill risk.

Custom static analysis or SAST tools (Semgrep, Bandit)

Can scan skills (Markdown files) and MCP server code for patterns but require custom rules for prompt injection detection and lack agent auto-discovery; higher operational burden.

Manual code review + agent vendor documentation

No automation; suitable only for small teams with very few MCP servers or skills. Does not scale and misses emerging threat patterns.

Software development agency

Build on agent-scan with DEV.co software developers

Run a free scan of your machine's agent components today. Sign up for Snyk, get your API token, and use `uvx snyk-agent-scan@latest` to detect prompt injection and tool poisoning risks in seconds.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

agent-scan FAQ

Is Agent Scan suitable for production CI/CD workflows?
Partially. The underlying Snyk Evo integration (enterprise mode) is stable, but the CLI output format is experimental and may break between releases. For production workflows, use enterprise mode with Snyk account team guidance, or treat CLI parsing as fragile and require frequent updates.
Can I run scans offline or in an air-gapped environment?
No. Agent Scan requires Snyk API token and external connectivity to Snyk's backend for analysis. It cannot function offline.
What happens if I run a scan on a malicious MCP config file?
By default, interactive mode prompts for consent before executing each MCP server command, showing the exact command and args. Use `--dangerously-run-mcp-servers` only in trusted environments. For untrusted configs, run scans inside a sandbox (Docker, VM, or disposable environment).
Does Agent Scan replace traditional SAST or dependency scanning?
No. Agent Scan is specialized for AI agent components (MCP servers, skills). For general code vulnerabilities and supply-chain risk, continue using Snyk Code, SCA tools, or other SAST/DAST solutions.

Software developers & web developers for hire

DEV.co helps companies turn open-source tools like agent-scan into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your mcp servers stack.

Secure Your AI Agent Ecosystem

Run a free scan of your machine's agent components today. Sign up for Snyk, get your API token, and use `uvx snyk-agent-scan@latest` to detect prompt injection and tool poisoning risks in seconds.