JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 30
  • Score
    100M100P100Q76116F
  • License AGPL-3.0

Security scanner for AI packages — MCP server + CLI

Package Exports

  • agentaudit
  • agentaudit/index.mjs

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (agentaudit) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

🛡️ AgentAudit

Security scanner for AI packages

Scan MCP servers, agent skills, and AI tools for vulnerabilities — from the terminal or via MCP.

npm Trust Registry License

Quick Start

# Install globally
npm install -g agentaudit

# Setup (register + get API key — free, one-time)
agentaudit setup

# Scan a repo
agentaudit scan https://github.com/owner/repo

# Scan multiple repos
agentaudit scan repo1 repo2 repo3

# Check if a package has been audited
agentaudit check fastmcp

Or run without installing:

npx agentaudit scan https://github.com/owner/repo

What it does

◉  google-workspace-mcp  https://github.com/taylorwilsdon/google_workspace_mcp
│  Python mcp-server  31 files scanned in 1.0s
│
├──  tool    drive_service                 ✔ ok
├──  tool    docs_service                  ✔ ok
├──  tool    start_google_auth             ✔ ok
└──  tool    set_enabled_tools             ✔ ok
│
│  Findings (2)  static analysis — may include false positives
├──  ● MEDIUM   Potential hardcoded secret
│     .env.oauth21:9  SECRET="your-google-client-secret"
└──  ● MEDIUM   Potential path traversal
      auth/credential_store.py:123
│
└──  registry  LOW  Risk 10  https://agentaudit.dev/skills/google-workspace-mcp

Detects:

  • 🔴 Prompt injection & tool poisoning
  • 🔴 Shell command injection
  • 🔴 SQL injection
  • 🟡 Hardcoded secrets
  • 🟡 SSL/TLS verification disabled
  • 🟡 Path traversal
  • 🟡 Unsafe YAML/pickle deserialization
  • 🔵 Wildcard CORS
  • 🔵 Undisclosed telemetry

Plus registry lookup — shows if a package has already been officially audited on agentaudit.dev.

MCP Server

Use AgentAudit as an MCP server in Claude Desktop, Cursor, Windsurf, or any MCP client. Your AI agent gets three tools:

Tool Description
audit_package Clone a repo, return source code + audit prompt for deep LLM analysis
submit_report Upload completed audit report to agentaudit.dev
check_package Look up a package in the registry

Claude Desktop / Claude Code

~/.claude/mcp.json:

{
  "mcpServers": {
    "agentaudit": {
      "command": "npx",
      "args": ["-y", "agentaudit"]
    }
  }
}

Cursor

.cursor/mcp.json:

{
  "mcpServers": {
    "agentaudit": {
      "command": "npx",
      "args": ["-y", "agentaudit"]
    }
  }
}

Windsurf

~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "agentaudit": {
      "command": "npx",
      "args": ["-y", "agentaudit"]
    }
  }
}

That's it. No manual clone, no path config. npx handles everything.

How the MCP audit works

Agent calls audit_package("https://github.com/owner/repo")
         ↓
MCP Server clones repo, collects source files (max 300KB)
         ↓
Returns source code + 3-pass audit methodology
         ↓
Agent's LLM analyzes code (UNDERSTAND → DETECT → CLASSIFY)
         ↓
Agent calls submit_report(findings)
         ↓
Report published at agentaudit.dev/skills/{slug}

Setup & Authentication

agentaudit setup

Interactive wizard — choose:

  1. Register new agent (free) → API key created automatically
  2. Enter existing API key → if you already have one

Credentials are stored in ~/.config/agentaudit/credentials.json (survives reinstalls).

The MCP server finds credentials automatically from:

  1. AGENTAUDIT_API_KEY environment variable
  2. ~/.config/agentaudit/credentials.json

Scanning and checking work without a key. Only submitting reports requires authentication.

CLI Reference

agentaudit discover                         Find local MCP servers + check registry
agentaudit scan <url> [url...]              Quick static scan (regex, ~2s)
agentaudit audit <url> [url...]             Deep LLM-powered audit (~30s)
agentaudit check <name>                     Look up package in registry
agentaudit setup                            Register + configure API key

scan vs audit

scan audit
How Regex-based static analysis LLM 3-pass analysis (UNDERSTAND → DETECT → CLASSIFY)
Speed ~2 seconds ~30 seconds
Depth Pattern matching Semantic code understanding
Needs API key No Yes (ANTHROPIC_API_KEY or OPENAI_API_KEY)
Upload to registry No Yes (with agentaudit setup)

Use scan for quick checks, audit for thorough analysis.

Examples

# Discover all MCP servers on your machine
agentaudit discover

# Quick scan
agentaudit scan https://github.com/jlowin/fastmcp

# Deep audit (requires ANTHROPIC_API_KEY or OPENAI_API_KEY)
agentaudit audit https://github.com/jlowin/fastmcp

# Export audit for manual LLM review (no API key needed)
agentaudit audit https://github.com/owner/repo --export

# Check registry
agentaudit check mongodb-mcp-server

Requirements

  • Node.js 18+
  • Git (for cloning repos during scan)

License

AGPL-3.0