Security scanner for AI Agent skills, plugins, and MCP servers
Project description
:large_blue_diamond: Prism Scanner
Security scanner for AI Agent skills, plugins, and MCP servers.
Prism analyzes code for malicious behavior before you install it — and checks your system for leftover threats after you uninstall.
Unlike marketplace-only trust scores, Prism gives you full lifecycle coverage with code-level transparency — pre-install, runtime, and post-uninstall — across every platform, completely open source.
Why Prism?
| Marketplace Trust Scores | Prism Scanner | |
|---|---|---|
| Pre-install | :white_check_mark: Reputation score | :white_check_mark: Deep code analysis |
| Post-uninstall | :x: | :white_check_mark: Residue & persistence scan |
| Inspection | Black-box rating | Code-level, rule-by-rule |
| Platforms | Single ecosystem | ClawHub, MCP, npm, pip |
| Source | Closed | Open (Apache 2.0) |
| Execution | Requires upload | Local-first, offline OK |
Quick Start
pip install prism-scanner
# Scan a local skill directory
prism scan ./my-skill/
# Scan a GitHub repo directly
prism scan https://github.com/user/skill-repo
# Check your system for agent residue
prism clean --scan
# Generate a cleanup plan (non-destructive)
prism clean --plan
# Execute cleanup with automatic backups
prism clean --apply
Homebrew (macOS)
brew tap prismlab/tools
brew install prism-scanner
npx (no install needed)
npx prism-scanner scan https://github.com/user/skill-repo
GitHub Action (CI/CD)
Add Prism to your CI pipeline — findings appear in GitHub's Security tab:
# .github/workflows/prism-scan.yml
name: Prism Security Scan
on: [push, pull_request]
permissions:
security-events: write
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aidongise-cell/prism-scanner@main
with:
path: '.'
fail-on: 'high'
MCP Server (Claude Desktop / Cursor / VS Code)
Prism Scanner can run as an MCP server, giving AI assistants direct access to security scanning tools.
pip install "prism-scanner[mcp]"
Add to your Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json):
{
"mcpServers": {
"prism-scanner": {
"command": "prism-mcp"
}
}
}
Or for Claude Code:
claude mcp add prism-scanner prism-mcp
This exposes 4 tools: prism_scan, prism_grade, prism_clean_scan, prism_clean_plan.
Docker
# Build the image
docker build -t prism-scanner .
# Scan a local directory
docker run -v $(pwd)/my-skill:/workspace/target:ro prism-scanner scan /workspace/target
# Scan a remote repo
docker run prism-scanner scan https://github.com/user/skill-repo
# Generate HTML report
docker run -v $(pwd):/workspace/output prism-scanner scan https://github.com/user/repo --format html -o /workspace/output/report.html
Or use the published image:
docker run ghcr.io/prismlab/prism-scanner scan <target>
What It Detects
Prism operates across 3 analysis layers, each targeting a different phase of the agent lifecycle:
| Layer | Focus | Rules | Examples |
|---|---|---|---|
| 1. Code Behavior (S1-S14) | What the code does | 14 | Shell execution, data exfiltration, SSRF, persistence mechanisms, unsafe deserialization, download-and-execute |
| 2. Metadata (M1-M6, P1-P9) | What the package claims vs. contains | 15 | Hardcoded credentials, typo-squatting, install scripts, obfuscated payloads, prompt injection, suspicious domains |
| 3. System Residue (R1-R10) | What was left behind | 10 | LaunchAgents, crontab entries, shell config pollution, orphaned credentials, systemd units, login items |
Total: 39 detection rules with lightweight intra-file taint analysis.
Example Output
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Prism Scanner v0.1.0
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Target: evil_skill
Platform: clawhub
Duration: 42ms
[1/3] Behavior Analysis
✗ CRITICAL S8 Data exfiltration: secrets sent to external endpoint evil_skill.py:10
✗ CRITICAL S10 Download and execute: fetches remote payload evil_skill.py:24
✗ HIGH S1 Shell execution with untrusted input evil_skill.py:14
✗ HIGH S13 Persistence: writes LaunchAgent plist evil_skill.py:36
⚠ MEDIUM S6 Dynamic code execution (eval/exec) evil_skill.py:21
[2/3] Metadata Analysis
✗ CRITICAL P1 Hardcoded credential: AWS Access Key evil_skill.py:47
⚠ MEDIUM P2 Base64-encoded executable content evil_skill.py:50
⚠ MEDIUM P6 Prompt injection pattern in string literal evil_skill.py:53
[3/3] Residue Scan
(skipped — use `prism clean --scan` for system-level checks)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Grade: F (Critical)
Key Risks:
▸ CRITICAL: Data exfiltration to external endpoint (S8)
▸ CRITICAL: Download and execute remote payload (S10)
▸ CRITICAL: Hardcoded AWS credential (P1)
▸ HIGH: Shell execution with user input (S1)
▸ HIGH: Persistence mechanism installed (S13)
Behavior Profile:
exfiltrates_data, executes_shell, downloads_and_executes, installs_persistence
Recommendation: DO NOT INSTALL — Critical security risks detected.
Findings: 3 critical, 2 high, 3 medium
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Grading System
| Grade | Label | Meaning | Recommendation |
|---|---|---|---|
| A | Safe | No findings or only informational | Safe to use |
| B | Notice | Only LOW severity findings | Likely safe — minor observations |
| C | Caution | 1-4 MEDIUM findings | Review before use — warrants manual inspection |
| D | Danger | 1-2 HIGH, or 5+ MEDIUM | Use in sandbox only — significant risks |
| F | Critical | Any CRITICAL, or 3+ HIGH | Do not install — critical security risks |
Output Formats
# Rich terminal output (default) — color-coded severity, grade highlighting
prism scan ./skill/
# Machine-readable JSON
prism scan ./skill/ --format json
# Standalone HTML report — dark-themed, self-contained, shareable
prism scan ./skill/ --format html -o report.html
# SARIF for GitHub Code Scanning
prism scan ./skill/ --format sarif -o results.sarif
HTML Report
Generate a standalone, self-contained HTML report with full findings, grade visualization, and risk breakdown — perfect for sharing with teammates or archiving:
prism scan https://github.com/user/skill-repo --format html -o report.html
The HTML report features a dark-themed UI with color-coded severity levels, an interactive grade ring, and a complete findings table. No external dependencies — just open the .html file in any browser.
CI/CD Integration
Add Prism to your GitHub Actions workflow to gate deployments on security findings:
name: Security Scan
on: [push, pull_request]
jobs:
prism-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install Prism Scanner
run: pip install prism-scanner
- name: Run security scan
run: prism scan . --format sarif -o results.sarif --fail-on high
- name: Upload SARIF results
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
The --fail-on flag exits with code 1 if any finding meets or exceeds the specified severity (critical, high, or medium), failing the CI pipeline.
Key Features
- Taint Analysis — Tracks data flow from sources (env vars, user input) to sinks (shell, network) within each file
- Multi-Platform — Scans ClawHub skills, MCP servers, npm packages, and pip packages with platform-aware rules
- Zero Dependencies on Target — Pure static analysis; never executes scanned code
- Residue Scanner — Detects persistence mechanisms, shell config pollution, and credential leaks left by uninstalled tools
- Safe Cleanup — Three-tier workflow (
scan->plan->apply) with automatic backup and--rollback - Suppression — Use
.prismignoreto suppress known findings by rule ID with justification - Offline Mode — Run with
--offlineto skip all external lookups
Adding Custom Rules
Detection rules are defined in YAML files under the rules/ directory:
rules/
├── malicious_signatures.yaml # Known malicious code signatures and hashes
├── permissions.yaml # Permission baseline definitions
└── suspicious_domains.yaml # C2 domains, dynamic DNS, disposable TLDs
The pattern engine (P1-P9) and manifest engine (M1-M6) load rules from these files at scan time. Add entries to extend detection without modifying Python code.
Project Structure
src/prism/
├── cli.py # CLI entry point and output formatting
├── scanner.py # Orchestrator — runs engines, collects findings
├── models.py # Finding, ScanResult, Severity, Layer data models
├── scoring.py # Letter-grade risk assessment (A-F)
├── report.py # HTML report generator
├── fetcher.py # Git clone / URL fetching with security guards
├── cleaner.py # System cleanup: plan, apply, rollback
├── suppression.py # .prismignore parsing
├── rules_loader.py # YAML rule loading
└── engines/
├── ast_engine.py # AST-based analysis (S1-S14)
├── pattern_engine.py # Regex pattern matching (P1-P9)
├── manifest_engine.py # Metadata & manifest analysis (M1-M6)
├── residue_engine.py # System residue scanner (R1-R10)
└── taint.py # Intra-file taint tracking
Contributing
Contributions are welcome. Please see CONTRIBUTING.md for guidelines on:
- Adding new detection rules
- Writing and running tests
- Code style and commit conventions
License
Apache License 2.0 — free for commercial and personal use.
Prism Verified Badge
Show that your project has been scanned by Prism. Add a badge to your README:
Grade A (Safe):
[](https://github.com/aidongise-cell/prism-scanner)
All grades:
| Grade | Badge |
|---|---|
| A |  |
| B |  |
| C |  |
| D |  |
| F |  |
Preview:
Support
If Prism Scanner helped you catch a security risk or gave you peace of mind, please consider giving it a ⭐ on GitHub — it helps others discover the project and keeps development going.
Acknowledgments
Prism Scanner is developed by Prism Lab to address a gap in the AI agent ecosystem: the lack of transparent, code-level security tooling that works across platforms and covers the full agent lifecycle. We believe developers deserve to understand exactly what a skill or plugin does before trusting it with their system.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file prism_scanner-0.2.2.tar.gz.
File metadata
- Download URL: prism_scanner-0.2.2.tar.gz
- Upload date:
- Size: 76.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
04f622eccd82914d97647f9f6044fe9a4495057d188e406e6210ea37e4dfaa4a
|
|
| MD5 |
aaa34286ebfdf1bd56392e0dc46c7945
|
|
| BLAKE2b-256 |
462be73b2560aa4bd729e42eacef0ca06222b942c21ba679319a249db71adfad
|
File details
Details for the file prism_scanner-0.2.2-py3-none-any.whl.
File metadata
- Download URL: prism_scanner-0.2.2-py3-none-any.whl
- Upload date:
- Size: 68.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bdd9f61b35209789d63e017f966cb1a958a2b6d02ff7c2d5f75be9576093bf99
|
|
| MD5 |
62e35c280ac0ce5d60c589d3900c6aaf
|
|
| BLAKE2b-256 |
abcfb3b729650a458391d09f37580e2fba93665bcd972a719bab5026779f1daf
|
