tanav 0.1.0

AI Supply Chain Security scanner — scan MCP servers, skill files, and agent configs for security risks

aiss-scan

AI Supply Chain Security scanner. Scan your local AI client configs and GitHub repos for security risks — no account required.

27% of 1,100+ public MCP repos carry CRITICAL findings.

Install

# Run immediately with uvx (no install needed):
uvx aiss-scan

# Or install permanently:
pip install aiss-scan

Usage

Scan your local AI configs (default)

Automatically finds and scans every MCP server configured in Claude Desktop, Cursor, Windsurf, and other AI clients on your machine.

uvx aiss-scan

AISS Local Config Scan
Configs found: 2
  ~/.claude/settings.json
  ~/.cursor/mcp.json

Servers scanned: 4
  1 BLOCK  — do not use
  1 REVIEW — investigate before use
  2 SAFE   — no findings

=== AISS Scan: @upstash/context7-mcp ===
Risk Score:  82/100  ✗ BLOCK

CRITICAL (1)
  [CHK-115] docs/troubleshooting.md:34
    confirmed · Credential access pattern in skill content

=== AISS Scan: @modelcontextprotocol/server-github ===
Risk Score:  0/100  ✓ SAFE

No findings.

Scan a specific config file

uvx aiss-scan --config ~/.cursor/mcp.json
uvx aiss-scan --config ~/Library/Application\ Support/Claude/claude_desktop_config.json

Scan a GitHub repo or npm package

uvx aiss-scan --repo https://github.com/Significant-Gravitas/AutoGPT
uvx aiss-scan --repo @upstash/context7-mcp
uvx aiss-scan --repo @azure/mcp

Output formats

# NDJSON — one JSON record per finding (Splunk / Elastic / SIEM)
uvx aiss-scan --json

# SARIF 2.1.0 — GitHub Security tab
uvx aiss-scan --sarif > results.sarif

# CI gate — exit code 1 on any CRITICAL finding
uvx aiss-scan --fail-on-critical

# Send results to aiss.dev for org dashboard
uvx aiss-scan --upload

GitHub Actions

- name: AISS MCP Security Scan
  run: uvx aiss-scan --sarif > aiss-results.sarif

- name: Upload to GitHub Security
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: aiss-results.sarif

For a pre-built Action: see .github/workflows/aiss-scan.yml

What gets checked

All checkers are deterministic, rule-based, and hand-written (no ML, no false-positive-prone heuristics).

Checker	What it finds
CHK-115	Credential access patterns in skill files
CHK-116	Prompt injection in cursor rules
CHK-117	Credential access in cursor rules
CHK-118	Data exfiltration instructions in cursor rules
CHK-119	Kiro steering file injection
CHK-120	Kiro spec dangerous permissions + auto-execute
CHK-121	Copilot instructions injection
CHK-122	Credential access in Copilot instructions
CHK-123	Exfiltration in Copilot instructions
CHK-124	Rug pull — tool description changed since last scan
CHK-125	Excessive agency without scope constraint
+ 110 more	CVEs, secrets, auth gaps, shadow tools, typosquats

Verdicts

Verdict	Meaning
✓ SAFE	No findings. Connect with confidence.
⚠ REVIEW	Medium/High findings. Investigate before use.
✗ BLOCK	CRITICAL findings or score ≥ 80. Do not connect.

Privacy

• No data leaves your machine unless you pass --upload
• No API keys required
• Config files are read locally; only server identifiers (npm package names, GitHub URLs) are used for scanning
• Environment variable values are never read or logged — only key names

Public registry

Check any MCP server before installing:

https://aiss.dev/registry/Significant-Gravitas/AutoGPT
https://aiss.dev/registry/modelcontextprotocol/server-git

1,100+ repos pre-scored. Updated continuously.

Real findings (from our corpus)

• AutoGPT 184k★ — CHK-115: credential access in 3 SKILL.md files (AI confirmed)
• garrytan/gstack 71k★ — --dangerously-skip-permissions + .env credential access
• screenpipe/screenpipe 19k★ — Telegram data exfiltration in SKILL.md
• modelcontextprotocol/server-git 85k★ — CVE-2025-68143 CVSS 8.8 path traversal
• @upstash/context7-mcp 1M dl/wk — credentials in troubleshooting docs

Links

• Public registry — 1,100+ pre-scored repos
• Dashboard — org-wide scanning + SBOM + SIEM
• GitHub
• Report a false positive