agent-scan
Agent Scan is a Python-based security scanner from Snyk that discovers and audits AI agent components (MCP servers, agent skills) on your machine for vulnerabilities like prompt injection and malware. It auto-detects configurations across 12+ agents including Claude, Cursor, and Windsurf, and reports 15+ risk types across multiple OS platforms.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | snyk/agent-scan |
| Owner | snyk |
| Primary language | Python |
| License | Apache-2.0 — OSI-approved |
| Stars | 2.8k |
| Forks | 244 |
| Open issues | 3 |
| Latest release | v0.5.12 (2026-06-23) |
| Last updated | 2026-07-07 |
| Source | https://github.com/snyk/agent-scan |
What agent-scan is
CLI tool that performs static and dynamic analysis of MCP server configurations and agent skill definitions, executing stdio MCP servers during interactive scans to validate tool descriptions and detect prompt injection, tool poisoning, toxic flows, and credential handling issues. Requires Snyk API token for analysis and reports structured findings via experimental CLI output.
Get the agent-scan source
Clone the repository and explore it locally.
git clone https://github.com/snyk/agent-scan.gitcd agent-scan# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Snyk account creation and API token (free tier available) before any scan; set SNYK_TOKEN environment variable before invocation.
- Install via `uvx snyk-agent-scan@latest` (Python-based, requires uv package manager); supports Python 3.x versions (exact minimum version not specified in data).
- Interactive mode requires explicit user consent (y/n) before each MCP server starts; use `--dangerously-run-mcp-servers` flag only in trusted environments to bypass consent.
- CLI output is experimental; if enterprise deployment, contact Snyk account team for stable integration guidance (underlying Evo platform integration is stable).
- Auto-discovers configs across multiple OS-specific paths (e.g., ~/.claude, ~/.config, ProgramData on Windows); detection coverage varies by agent and component type (see README matrix).
When to avoid it — and what to weigh
- Production CLI Dependency — Do not build production workflows that depend on specific CLI output fields, issue codes, or response structure—README explicitly states these are experimental and subject to breaking change between releases.
- Untrusted MCP Configs Without Sandboxing — Avoid running scans on untrusted third-party MCP configurations without sandboxing (Docker, VM); scanning executes the stdio MCP server commands defined in configs, creating execution risk if configs are malicious.
- No SCA or General-Purpose Vulnerability Scanning — Agent Scan is agent-component-specific; it is not a general-purpose software composition analysis (SCA) tool. Do not use it as a replacement for dependency scanning or CVE detection in application code.
- Offline or Air-Gapped Environments — Requires Snyk API token and external connectivity; cannot function offline. Not suitable for fully air-gapped or restricted-network deployments.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and no liability warranty.
Apache-2.0 permits commercial use of the scanner itself. However, Snyk requires API token authentication against its backend service; review Snyk's commercial terms and data handling policies separately. Enterprise customers have dedicated support and stable API contracts.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Execution Risk: Scanning MCP configs requires starting stdio servers, executing arbitrary commands from config files; requires user consent in interactive mode and sandboxing for untrusted sources. No explicit audit log, attestation, or supply-chain provenance mentioned. Snyk's backend processes agent configs; review data residency and privacy terms separately. Scanner detects prompt injection and malware payloads in skills but is itself subject to regular updates; keep token and tool current.
Alternatives to consider
Snyk Code/Container/IaC (general SCA tools)
Snyk's broader suite for general dependency and infrastructure scanning; complementary but not agent-ecosystem-specific. Mismatched for MCP server and agent skill risk.
Custom static analysis or SAST tools (Semgrep, Bandit)
Can scan skills (Markdown files) and MCP server code for patterns but require custom rules for prompt injection detection and lack agent auto-discovery; higher operational burden.
Manual code review + agent vendor documentation
No automation; suitable only for small teams with very few MCP servers or skills. Does not scale and misses emerging threat patterns.
Build on agent-scan with DEV.co software developers
Run a free scan of your machine's agent components today. Sign up for Snyk, get your API token, and use `uvx snyk-agent-scan@latest` to detect prompt injection and tool poisoning risks in seconds.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
agent-scan FAQ
Is Agent Scan suitable for production CI/CD workflows?
Can I run scans offline or in an air-gapped environment?
What happens if I run a scan on a malicious MCP config file?
Does Agent Scan replace traditional SAST or dependency scanning?
Software developers & web developers for hire
DEV.co helps companies turn open-source tools like agent-scan into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your mcp servers stack.
Secure Your AI Agent Ecosystem
Run a free scan of your machine's agent components today. Sign up for Snyk, get your API token, and use `uvx snyk-agent-scan@latest` to detect prompt injection and tool poisoning risks in seconds.