DEV Community: Naufal Afif The latest articles on DEV Community by Naufal Afif (@naufalafif). https://dev.to/naufalafif https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F188646%2F5bee5553-b74f-4473-8cf1-d31f3e46e44b.png DEV Community: Naufal Afif https://dev.to/naufalafif en You probably haven't audited your MCP servers or AI agent skills. This tool does it for you. Naufal Afif Mon, 23 Mar 2026 10:15:57 +0000 https://dev.to/naufalafif/you-probably-havent-audited-your-mcp-servers-or-ai-agent-skills-this-tool-does-it-for-you-2pb2 https://dev.to/naufalafif/you-probably-havent-audited-your-mcp-servers-or-ai-agent-skills-this-tool-does-it-for-you-2pb2 <p>New MCP servers and AI agent tools ship every week. Cursor rules, Claude skills, agent instructions — the ecosystem is moving faster than anyone can manually review.</p> <p>Even if you check things before installing, updates can introduce new behavior. And with tools being forked, modified, and reshared — you want something watching continuously.</p> <p>That's why I built <strong>AgentGuard</strong> — a macOS menu bar app that runs security scanners in the background and flags anything suspicious.</p> <h2> The risk </h2> <p>MCP servers register tools that your AI assistant calls. Those tools can read files, run commands, make HTTP requests. A malicious or compromised tool can:</p> <ul> <li>Exfiltrate your SSH keys or credentials to an external endpoint</li> <li>Inject prompts that override your instructions</li> <li>Chain tool calls to escalate access</li> </ul> <p>Same with agent skills and rules (<code>.cursorrules</code>, Claude skills, agent instructions). They're mostly markdown files — but they control what the AI does on your machine.</p> <h2> The scanners </h2> <p>Cisco AI Defense maintains two open-source security scanners:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scanner</th> <th>What it scans</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/cisco-ai-defense/mcp-scanner" rel="noopener noreferrer">mcp-scanner</a></td> <td>MCP server configs — Claude Desktop, Cursor, VS Code, Windsurf, Zed</td> </tr> <tr> <td><a href="https://github.com/cisco-ai-defense/skill-scanner" rel="noopener noreferrer">skill-scanner</a></td> <td>Agent skill packages — Cursor rules, Claude skills, and other agent instruction files</td> </tr> </tbody> </table></div> <p>YARA rules + static analysis. Everything runs locally, nothing leaves your machine.</p> <p>They work great — but they're CLI tools. You have to remember to run them manually after every install or update.</p> <h2> AgentGuard </h2> <p>AgentGuard puts both scanners behind a menu bar icon. It scans on a schedule, shows findings in a popover, and lets you act on them.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpv2k1ainq7oyalpv74eq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpv2k1ainq7oyalpv74eq.png" alt="AgentGuard popover showing findings" width="800" height="936"></a></p> <p>Click a finding to see full details — what was detected, which rule flagged it, and the option to mute it:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxiqo7e3ljv7a9iio8zdz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxiqo7e3ljv7a9iio8zdz.png" alt="Finding expanded with details" width="800" height="936"></a></p> <p><strong>Install:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew tap naufalafif/tap brew <span class="nb">install</span> <span class="nt">--cask</span> agent-guard </code></pre> </div> <p>The app handles everything — installs the scanners, scans your configs, runs in the background. No manual setup.</p> <p><strong>What it scans:</strong></p> <p>MCP configs are picked up automatically — <code>claude_desktop_config.json</code>, <code>.cursor/mcp.json</code>, VS Code <code>settings.json</code>, Windsurf, Zed.</p> <p>Skill directories default to common locations — <code>~/.cursor/skills</code>, <code>~/.cursor/rules</code>, <code>~/.claude/skills</code>, <code>~/.agents/skills</code>, and more. Add your own from Settings.</p> <h2> Open source </h2> <p>AgentGuard is a native Swift app — open source under MIT.</p> <p>GitHub: <strong><a href="https://github.com/naufalafif/agent-guard" rel="noopener noreferrer">github.com/naufalafif/agent-guard</a></strong></p> <p>If you use MCP servers or AI coding tools, give it a scan. You might find something you didn't expect.</p> security ai macos opensource Dynamic Permissions in React using CASL: A Guide to Secure Your App🔒 Naufal Afif Mon, 05 Jun 2023 14:25:34 +0000 https://dev.to/naufalafif/dynamic-permissions-in-react-using-casl-a-guide-to-secure-your-app-2ino https://dev.to/naufalafif/dynamic-permissions-in-react-using-casl-a-guide-to-secure-your-app-2ino <p>As web applications become more complex, it's important to ensure that users have the appropriate permissions to access certain features and data. In this article, we'll explore how to implement dynamic permissions in React using CASL, a powerful authorization library.</p> <p>CASL, or "Class-based Authorization System for React and Node.js", provides a simple and intuitive way to define permissions and check them at runtime. With CASL, you can easily manage permissions for different roles and users, and ensure that your app is secure and compliant with data protection regulations.</p> <h3> Installing Packages </h3> <p>To get started with CASL, you'll need to install the library and its dependencies:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> npm install @casl/react @casl/ability </code></pre> </div> <h3> Define Permissions </h3> <p>Once you've installed CASL, you can define your permissions using the <code>defineAbility</code> function. Here's an example of how to define permissions for a blog app:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="c1">// ability.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineAbility</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@casl/ability</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineAbility</span><span class="p">((</span><span class="nx">can</span><span class="p">,</span> <span class="nx">cannot</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="p">);</span> <span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">add</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="p">);</span> <span class="nf">cannot</span><span class="p">(</span><span class="dl">"</span><span class="s2">update</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="p">);</span> <span class="nf">cannot</span><span class="p">(</span><span class="dl">"</span><span class="s2">delete</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>In this example, we're defining permissions for a <code>Post</code> model. Users can read and create posts, but can't update and delete them.</p> <p>We can use permission directly by invoking the function <code>can</code> or using <code>Can</code> component.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="nx">ability</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./ability.js</span><span class="dl">"</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">ability</span><span class="p">.</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="p">));</span> <span class="c1">// true</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">ability</span><span class="p">.</span><span class="nf">can</span><span class="p">(</span><span class="dl">"</span><span class="s2">delete</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="p">));</span> <span class="c1">// false</span> </code></pre> </div> <h3> Permission on React Component </h3> <p>Once you've defined your permissions, you can use the <code>Can</code> component from <code>@casl/react</code> to check if a user has permission to perform a certain action. Here's an example of how to use the <code>Can</code> component in a React component:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">createContext</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createContextualCan</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@casl/react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">ability</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./ability.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">AbilityContext</span> <span class="o">=</span> <span class="nf">createContext</span><span class="p">();</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">Can</span> <span class="o">=</span> <span class="nf">createContextualCan</span><span class="p">(</span><span class="nx">AbilityContext</span><span class="p">.</span><span class="nx">Consumer</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">post</span> <span class="o">=</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">example-title</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">"</span><span class="s2">example-content</span><span class="dl">"</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">AbilityContext</span><span class="p">.</span><span class="nx">Provider</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">ability</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Can</span> <span class="nx">I</span><span class="o">=</span><span class="dl">"</span><span class="s2">add</span><span class="dl">"</span> <span class="nx">a</span><span class="o">=</span><span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">button</span><span class="o">&gt;</span><span class="nx">Add</span><span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/Can</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">Can</span> <span class="nx">I</span><span class="o">=</span><span class="dl">"</span><span class="s2">read</span><span class="dl">"</span> <span class="nx">a</span><span class="o">=</span><span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Post</span> <span class="nx">post</span><span class="o">=</span><span class="p">{</span><span class="nx">post</span><span class="p">}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/Can</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/AbilityContext.Provider</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">Post</span><span class="p">({</span> <span class="nx">post</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">post</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">post</span><span class="p">.</span><span class="nx">content</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">Can</span> <span class="nx">I</span><span class="o">=</span><span class="dl">"</span><span class="s2">update</span><span class="dl">"</span> <span class="nx">a</span><span class="o">=</span><span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">button</span><span class="o">&gt;</span><span class="nx">Edit</span><span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/Can</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">Can</span> <span class="nx">I</span><span class="o">=</span><span class="dl">"</span><span class="s2">delete</span><span class="dl">"</span> <span class="nx">a</span><span class="o">=</span><span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">button</span><span class="o">&gt;</span><span class="nx">Delete</span><span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/Can</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>In this example, we're rendering a <code>Post</code> component and checking if the current user has permission to update &amp; delete the post. If the user has permission, we're rendering the buttons.</p> <p>We're providing the <code>ability</code> to our entire app using the <code>AbilityContext.Provider</code>. This allows us to check permissions in any component using the <code>Can</code> component or the <code>useAbility</code> hook from <code>@casl/react</code>.</p> <p>Overall, CASL provides a powerful and flexible way to manage permissions in your React app. By defining permissions using the <code>defineAbility</code> function and checking them at runtime using the <code>Can</code> component or the <code>useAbility</code> hook, you can ensure that your app is secure and compliant with data protection regulations.</p> <p>I hope this article has been helpful in getting started with dynamic permissions in React using CASL. If you have any questions or feedback, feel free to leave a comment below!</p> <h3> Demo </h3> <p>Check out the demo below where you can edit permissions and see how the feature is enabled or disabled based on changes to the permission data.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fykzb1lp81begvwhkefi9.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fykzb1lp81begvwhkefi9.gif" alt="React with CASL Demo"></a></p> <p>Demo URL: <a href="https://react-with-casl.vercel.app/" rel="noopener noreferrer">https://react-with-casl.vercel.app/</a><br> Source Code: <a href="https://github.com/naufalafif/react-with-casl" rel="noopener noreferrer">https://github.com/naufalafif/react-with-casl</a></p> webdev javascript react security