Security scanner for AI agent plugins, skills, and MCP packages
Project description
AgentSift
Security scanner for AI agent plugins, skills, and MCP packages
npm audit for the AI agent ecosystem
Features | Quick Start | Ecosystems | Contributing | Roadmap
The Problem
AI agent ecosystems are under attack. The numbers are alarming:
- 12% of ClawHub packages contain malicious payloads (ClawHavoc incident)
- 41.7% of 2,890+ OpenClaw skills have serious security vulnerabilities
- 43% of MCP servers have command injection vulnerabilities
- 43% of MCP servers have OAuth authentication flaws
- $16M+ in losses from a single supply chain attack campaign
Traditional security scanners (Snyk, Trivy, Semgrep) were built for traditional software. They cannot detect threats unique to AI agent ecosystems: tool poisoning, prompt injection via plugins, credential theft through MCP servers, and behavioral manipulation of autonomous agents.
AgentSift fills this gap.
Features
- Static Analysis -- Detect suspicious patterns: obfuscated code, hidden network calls, credential access, crypto wallet targeting
- Behavioral Sandbox -- Execute plugins in an isolated environment and monitor actual system calls, network connections, and file access
- Reputation Scoring -- Risk score based on author history, download patterns, code similarity to known malware, and community signals
- SBOM Generation -- Software Bill of Materials in CycloneDX/SPDX format for compliance
- CI/CD Integration -- SARIF output for GitHub Advanced Security, GitLab SAST, and other platforms
- Detection Rules -- Extensible YAML-based rule engine (bring your own rules or use built-in detections)
Quick Start
# Install
pip install agentsift
# Scan a ClawHub skill
agentsift scan clawhub:cryptocurrency-trader
# Scan an MCP package from npm
agentsift scan npm:@modelcontextprotocol/server-postgres
# Scan a local plugin directory
agentsift scan ./my-agent-plugin/
# Scan with full behavioral analysis (slower, more thorough)
agentsift scan --deep clawhub:cryptocurrency-trader
# Output SARIF for CI/CD
agentsift scan --format sarif -o results.sarif clawhub:some-skill
# Generate SBOM
agentsift sbom --format cyclonedx clawhub:some-skill
Supported Ecosystems
| Ecosystem | Status | Description |
|---|---|---|
| ClawHub | v0.1 |
OpenClaw skills marketplace |
| MCP (npm) | v0.1 |
Model Context Protocol servers on npm |
| MCP (PyPI) | v0.2 |
MCP servers on PyPI |
| LangChain Hub | Planned | LangChain tools and chains |
| CrewAI Tools | Planned | CrewAI tool packages |
| Custom | v0.1 |
Any local directory with agent code |
How It Works
+-----------------+
| agentsift |
| scan <pkg> |
+--------+--------+
|
+--------------+--------------+
| | |
+--------v---+ +------v------+ +----v--------+
| Static | | Behavioral | | Reputation |
| Analysis | | Sandbox | | Scoring |
+--------+---+ +------+------+ +----+--------+
| | |
+--------------+--------------+
|
+--------v--------+
| Risk Score & |
| Report Output |
| (JSON/SARIF/ |
| CycloneDX) |
+-----------------+
Static Analysis
Scans source code for patterns known to be associated with malicious AI agent plugins:
- Network exfiltration: Hidden HTTP calls, DNS tunneling, WebSocket connections to unknown hosts
- Credential harvesting: Access to environment variables, SSH keys, browser credential stores, crypto wallets
- Code obfuscation: Base64-encoded payloads,
eval()/exec()usage, dynamic imports - Prompt injection: Embedded instructions designed to manipulate the host AI agent
- Privilege escalation: Attempts to escape sandboxes, modify system files, or escalate permissions
Behavioral Sandbox
Executes the plugin in an isolated container and monitors:
- System calls (via seccomp-bpf)
- Network connections (DNS queries, HTTP requests, raw sockets)
- File system access (reads, writes, deletes outside expected paths)
- Process spawning (unexpected child processes)
- Resource consumption (CPU, memory, disk anomalies)
Reputation Scoring
Calculates a 0-100 risk score based on:
- Author account age and verification status
- Download count and velocity patterns
- Code similarity to known malicious packages (via fuzzy hashing)
- Dependency chain analysis
- Community reports and flags
Detection Rules
AgentSift uses YAML-based detection rules:
# rules/credential-access.yaml
id: AS-001
name: environment-variable-exfiltration
severity: critical
description: Plugin accesses sensitive environment variables and makes network calls
patterns:
- type: code
match: "os.environ|process.env"
context: "network_call_in_same_scope"
- type: behavior
match: "dns_query_after_env_read"
tags: [credential-theft, exfiltration]
ecosystems: [clawhub, mcp, npm]
Write custom rules and contribute them back to the community!
CI/CD Integration
GitHub Actions
- name: Scan MCP dependencies
uses: agentsift/agentsift-action@v1
with:
targets: "mcp-packages.json"
fail-on: "high"
GitLab CI
agentsift-scan:
image: agentsift/agentsift:latest
script:
- agentsift scan --format sarif -o gl-agentsift-report.sarif ./
artifacts:
reports:
sast: gl-agentsift-report.sarif
Comparison with Existing Tools
| Feature | AgentSift | Cisco MCP Scanner | Snyk | Trivy |
|---|---|---|---|---|
| AI agent plugin scanning | Yes | MCP only | No | No |
| Behavioral sandbox | Yes | No | No | No |
| ClawHub support | Yes | No | No | No |
| MCP server scanning | Yes | Yes | No | No |
| Prompt injection detection | Yes | No | No | No |
| SBOM generation | Yes | No | Yes | Yes |
| SARIF output | Yes | No | Yes | Yes |
| Custom detection rules | Yes | Limited | No | Yes |
Project Status
Alpha -- Under active development. APIs may change. Not yet recommended for production use.
See the Roadmap for planned features and milestones.
Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
Priority areas:
- Detection rules for new attack patterns
- Support for additional ecosystems
- Behavioral sandbox improvements
- Documentation and translations
Security
Found a vulnerability in AgentSift itself? See SECURITY.md for responsible disclosure.
License
Apache License 2.0 -- See LICENSE
Acknowledgments
This project is informed by research from:
- OWASP Top 10 for Agentic Applications
- Cisco MCP Scanner
- Meta LlamaFirewall
- NVIDIA NemoClaw
- Ona Research on AI sandbox escapes
Built with the belief that AI agents should be safe by default.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agentsift-0.1.0.tar.gz.
File metadata
- Download URL: agentsift-0.1.0.tar.gz
- Upload date:
- Size: 37.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
082551bee2f40de6260d58cadad6a8b810cae4b49351a60c1fd692ff7ad1b647
|
|
| MD5 |
79ddf480363dc6aa92ed3f2b228832be
|
|
| BLAKE2b-256 |
eb502831ac165fd8c89808f28973524ecbd3132a6d627aa101f958b5dd21c8bb
|
File details
Details for the file agentsift-0.1.0-py3-none-any.whl.
File metadata
- Download URL: agentsift-0.1.0-py3-none-any.whl
- Upload date:
- Size: 33.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0bec068b22218ec4a2b20316520170e818261c6f732115717c7160701f36906d
|
|
| MD5 |
5686137c01f365331e7eba27a72a0972
|
|
| BLAKE2b-256 |
9da44504dbd8d372becd19c5bcb59b976313d087ebd11ff7e4bfb7f04ab7221b
|
