Agent Scan

安装配置

uvx snyk-agent-scan@latest

README 摘要

Snyk Agent Scan Discover and scan agent components on your machine for prompt injections and vulnerabilities (including agents, MCP servers, skills). > **NEW** Read our [technical report on the emerging threats of the agent skill eco-system](.github/reports/skills-report.pdf) published together with Agent Scan 0.4, which adds support for scanning agent skills. Agent Scan helps you keep an inventory of all your installed agent components (harnesses, MCP servers, and skills) and scans them for common threats like prompt injections, sensitive data handling, or malware payloads hidden in natural language. Ignore analysis on skills by using `--no-skills`. ## Security Warning > **⚠️ IMPORTANT: Scanning MCP configurations will execute the commands defined in them.** > > When Agent Scan scans an MCP configuration file, it starts the stdio MCP servers by executing the commands and arguments specified in the config. This is necessary to retrieve tool descriptions and perform security analysis. > > **Recommendations:** > - **Run scans inside a sandbox** (Docker container, VM, or disposable environment) when evaluating untrusted or third-party MCP configs > - **Review the consent prompt carefully** during interactive scans, it shows the exact command and arguments that will be executed for each server > - **Use `--dangerously-run-mcp-servers`** only in trusted environments where you've verified all MCP server commands > > By default, Agent Scan requires explicit user consent (y/n) before starting each stdio MCP server during interactive runs. This gives you control over what gets executed on your system. ## Highlights - Auto-discover MCP configurations, agent tools, skills - Scanning of Claude, Cursor, Windsurf, Gemini CLI, Amp, Amazon Q, and other agents. - Detects [15+ distinct security risks](docs/issue-codes.md) across MCP servers and agent skills: - MCP: [Prompt Injection](docs/issue-codes.md#E001), [Tool Poisoning](docs/issue-codes.md#E001), [Tool Shadowing](docs/issue-codes.md#E002), [Toxic Flows](docs/issue-codes.md#ToxicFlows) - Skills: [Prompt Injection](docs/issue-codes.md#E004), [Malware Payloads](docs/issue-codes.md#E006), [Untrusted Content](docs/issue-codes.md#W011), [Credential Handling](docs/issue-codes.md#W007), [Hardcoded Secrets](docs/issue-codes.md#W008) ## Supported agents and capabilities Agent Scan auto-discovers agents and their capabilities (MCP servers or skills) when their install paths exist. The table reflects [well-known agent definitions](src/agent_scan/well_known_clients.py). - **✓**: at least one path is defined for that capability. - **✗**: the agent is listed for that OS but has no paths for that capability. - **—**: that agent is not included for that OS. - **Skills** Skills can be ignored by using `--no-skills` | Agent | macOS MCP | macOS Skills | Linux MCP | Linux Skills | Windows MCP | Windows Skills | | --- | :---: | :---: | :---: | :---: | :---: | :---: | | Windsurf | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Cursor | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | VS Code | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Claude Desktop | ✓ | ✗ | — | — | ✓ | ✗ | | Claude Code | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | Gemini CLI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | OpenClaw | ✗ | ✓ | ✗ | ✓ | ✗ | ✓ | | Amp | ✗ | ✓ | ✗ | ✓ | ✗ | ✓ | | Kiro | ✓ | ✗ | ✓ | ✗ | ✓ | ✗ | | OpenCode | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | | Antigravity | ✓ | ✗ | ✓ | ✗ | ✓ | ✗ | | Codex | ✗ | ✓ | ✗ | ✓ | — | — | | Amazon Q | ✓ | ✗ | ✓ | ✗ | ✓ (WSL) | ✗ | ## Quick Start To get s...