Package Exports
- hackmyagent
- hackmyagent/dist/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (hackmyagent) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
HackMyAgent CLI
Part of OpenA2A — open-source security for AI agents
Website: hackmyagent.com — Scan external infrastructure for exposed MCP endpoints, configs, and credentials
Disclaimer
HackMyAgent performs passive reconnaissance only (port checks and HTTP requests) — it does not exploit vulnerabilities. However, please only scan systems you own or have permission to test. The authors assume no liability for misuse of this tool.
npx hackmyagent check @publisher/skill # verify a skill before installing
npx hackmyagent secure # harden your agent setup (100 checks)
npx hackmyagent secure --fix # auto-fix security issues
npx hackmyagent scan example.com # scan for exposed infrastructureTwo Ways to Scan
| Tool | Use Case |
|---|---|
| hackmyagent.com | Scan external targets — check if your MCP servers, configs, or credentials are exposed on the internet |
npx hackmyagent secure |
Scan local projects — harden your agent setup before deploying |
Why HackMyAgent?
AI agents are powerful but introduce new attack surfaces. Skills can be malicious. Configs can leak secrets. MCP servers can be exposed. HackMyAgent helps you:
- Check skills before installing (publisher verification, permission analysis)
- Secure your agent setup (100-point CIS security scan, auto-remediation)
- Scan external infrastructure (exposed MCP endpoints, leaked configs)
Installation
# Use directly with npx (no install needed)
npx hackmyagent secure
# Or install globally
npm install -g hackmyagent
# Or add to your project
npm install --save-dev hackmyagentCommands
hackmyagent secure
Scan and harden your local agent setup with 100 security checks across 24 categories.
# Basic scan
hackmyagent secure
# Scan specific directory
hackmyagent secure ./my-project
# Auto-fix issues
hackmyagent secure --fix
# Preview fixes without applying
hackmyagent secure --fix --dry-run
# Skip specific checks
hackmyagent secure --ignore CRED-001,GIT-002
# JSON output for CI/CD
hackmyagent secure --json
# Show all checks (including passed)
hackmyagent secure --verboseSecurity Categories:
| Category | Checks | Description |
|---|---|---|
| CRED | 4 | Credential exposure detection |
| MCP | 12 | MCP server configuration |
| CLAUDE | 8 | Claude Code security |
| NET | 6 | Network security |
| PROMPT | 4 | Prompt injection defenses |
| INJ | 4 | Input validation (XSS, SQL, cmd) |
| ENCRYPT | 4 | Encryption at rest |
| SESSION | 4 | Session management |
| AUDIT | 4 | Audit trails |
| SANDBOX | 4 | Process isolation |
| TOOL | 4 | Tool permission boundaries |
| And 13 more... | 42 | Auth, deps, env, git, io, log, perm, proc, rate, sec, api, vscode, cursor |
Exit Codes:
0- No critical/high issues1- Critical or high severity issues found
hackmyagent check
Verify a skill's safety before installing.
hackmyagent check @publisher/skill-name
hackmyagent check @anthropic/claude-mcp --verbose
hackmyagent check @publisher/skill --json
hackmyagent check @publisher/skill --offline # skip DNS verificationChecks performed:
- Publisher identity via DNS TXT records
- Permissions requested (filesystem, network, shell access)
- Revocation status against global blocklist
Note: Only scan systems you own or have permission to test.
Risk Levels: low, medium, high, critical
hackmyagent scan
Scan external infrastructure for exposed AI agent endpoints.
hackmyagent scan example.com
hackmyagent scan 192.168.1.100 -p 3000,8080
hackmyagent scan example.com --verbose
hackmyagent scan example.com --jsonDetects:
- Exposed MCP SSE/tools endpoints
- Public configuration files
- API keys in responses
- Debug/admin interfaces
Scoring: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
hackmyagent secure-openclaw
Scan OpenClaw/Moltbot installations with 34 specialized security checks and auto-remediation.
hackmyagent secure-openclaw # scan default location
hackmyagent secure-openclaw ~/.moltbot # scan specific directory
hackmyagent secure-openclaw --fix # auto-fix gateway misconfigurations
hackmyagent secure-openclaw --fix --dry-run # preview fixes
hackmyagent secure-openclaw --json # JSON output for CI/CDDetects:
- Unsigned/malicious skills (ClawHavoc campaign patterns)
- ClickFix social engineering attacks
- Reverse shell backdoors
- Credential exfiltration (wallets, SSH keys, API keys)
- Heartbeat/cron abuse
- Gateway misconfigurations (GHSA-g8p2 vulnerability)
- Disabled sandbox/approval confirmations
Auto-Fix (with --fix):
| Check | Before | After |
|---|---|---|
| GATEWAY-001 | 0.0.0.0 |
127.0.0.1 (local-only) |
| GATEWAY-003 | Plaintext token | ${OPENCLAW_AUTH_TOKEN} env var |
| GATEWAY-004 | Approvals disabled | Approvals enabled |
| GATEWAY-005 | Sandbox disabled | Sandbox enabled |
Check Categories:
| Category | Checks | Description |
|---|---|---|
| SKILL | 12 | Malicious skill detection |
| HEARTBEAT | 6 | Heartbeat/cron abuse |
| GATEWAY | 6 | Gateway misconfigurations (4 auto-fixable) |
| CONFIG | 6 | Insecure settings |
| SUPPLY | 4 | Supply chain attacks |
See SECURITY_CHECKS.md for full documentation.
hackmyagent rollback
Undo auto-fix changes.
hackmyagent rollback # rollback current directory
hackmyagent rollback ./my-project # rollback specific directoryBackups are automatically created in .hackmyagent-backup/ with timestamps.
CI/CD Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npx hackmyagent secure --json > security-report.json
- uses: actions/upload-artifact@v4
with:
name: security-report
path: security-report.jsonPre-commit Hook
# .git/hooks/pre-commit
#!/bin/sh
npx hackmyagent secure --ignore LOG-001,RATE-001JSON Output
All commands support --json for machine-readable output:
hackmyagent secure --json | jq '.findings[] | select(.severity == "critical")'Supported Platforms
- Claude Code - CLAUDE.md, skills, MCP servers
- Cursor - .cursor/ rules, MCP configurations
- VSCode - .vscode/mcp.json configurations
- Generic MCP - Any MCP server setup
Security Check Reference
For the complete list of 100 security checks with descriptions and remediation guidance, see SECURITY_CHECKS.md.
Auto-Fix Capabilities
The following issues can be automatically fixed with --fix:
General (hackmyagent secure --fix):
| Check ID | Issue | Auto-Fix Action |
|---|---|---|
| CRED-001 | Exposed API keys | Replace with env var reference |
| GIT-001 | Missing .gitignore | Create with secure defaults |
| GIT-002 | Incomplete .gitignore | Add missing patterns |
| PERM-001 | Overly permissive files | Set restrictive permissions |
| MCP-001 | Root filesystem access | Scope to project directory |
| NET-001 | Bound to 0.0.0.0 | Bind to 127.0.0.1 |
OpenClaw (hackmyagent secure-openclaw --fix):
| Check ID | Issue | Auto-Fix Action |
|---|---|---|
| GATEWAY-001 | Bound to 0.0.0.0 | Bind to 127.0.0.1 |
| GATEWAY-003 | Plaintext token in config | Replace with ${OPENCLAW_AUTH_TOKEN} |
| GATEWAY-004 | Approvals disabled | Enable approval confirmations |
| GATEWAY-005 | Sandbox disabled | Enable sandbox mode |
Always use --dry-run first to preview changes. Backups are created automatically.
Environment Variables
| Variable | Description |
|---|---|
NO_COLOR |
Disable colored output |
HACKMYAGENT_TIMEOUT |
Default timeout for scans (ms) |
Test Fixtures
Sample projects with intentional security issues for testing:
# Test the scanner against example projects
npx hackmyagent secure test-fixtures/insecure-api # Score: 27/100
npx hackmyagent secure test-fixtures/insecure-mcp # Score: 0/100
npx hackmyagent secure test-fixtures/insecure-library # Score: 60/100
npx hackmyagent secure test-fixtures/clean-project # Score: 100/100
# Test auto-fix
npx hackmyagent secure test-fixtures/insecure-api --fixSee test-fixtures/README.md for details.
Contributing
Contributions welcome! See CONTRIBUTING.md for guidelines.
# Development setup
git clone https://github.com/ecolibria/hackmyagent.git
cd hackmyagent
npm install
npm run build
npm testLicense
Apache-2.0
Secure What You Find
HackMyAgent finds vulnerabilities. AIM fixes them — the open-source NHI platform for AI agents with cryptographic identity, governance, and access control.