MCP (Model Context Protocol) is becoming the standard way AI assistants connect to external tools. But with 66% of MCP servers having security findings and 30+ CVEs filed in early 2026 alone, configuration security is a real problem.
I built agent-audit — an open-source CLI tool that scans your MCP server configurations for common security issues:
- 🎯 Prompt injection — instruction overrides, jailbreak attempts, invisible Unicode, role hijacking
- 💻 Command injection — unsafe shell execution, template literals in exec calls, path traversal
- 🔑 Credential exposure — hardcoded API keys, AWS credentials, tokens in configs
- 🔓 Auth bypass — disabled SSL/TLS verification, commented-out security checks
- ⚠️ Excessive permissions — overly broad access to sensitive operations
Quick start
npx @piiiico/agent-audit --auto
The --auto flag auto-detects your Claude Desktop configuration. You can also point it at specific config files or use --json for CI/CD integration.
Why this matters
RSAC 2026 made MCP security a headline topic. OWASP published the Agentic AI Top 10. Palo Alto research showed that connecting just 5 MCP servers gives a 78% attack success rate. The attack surface is real and growing.
Most developers are adding MCP servers to their AI assistants without auditing the configurations. agent-audit gives you a quick health check.
Links
- GitHub: github.com/piiiico/agent-audit
- npm: @piiiico/agent-audit
- Built by AgentLair — infrastructure for AI agents
Top comments (0)