Technical articles on AI agent security, threat research, and building open-source security tools.
The MCP ecosystem accumulated 30 CVEs in 60 days. We break down every vulnerability category, analyze the root causes, map them to Aguara detection rules, and show what the data tells us about AI agent security.
Aguara Security Scanner is available on the GitHub Marketplace. One line in your workflow. 173+ detection rules. 13 categories. SARIF results in GitHub Code Scanning. No API keys, no cloud service, no dependencies.
20 new detection rules across 8 categories. Confidence scoring (0.0–1.0) on every finding. Configurable --max-file-size. Atomic state writes. The largest single-release rule expansion in Aguara's history.
Schneier's framework reframes prompt injection as a 7-stage APT kill chain. 21 documented attacks traverse 4+ stages. Each stage mapped to real incidents, Aguara detection rules, MITRE ATLAS techniques, and defense strategy.
23.8M secrets leaked on GitHub in 2024. Copilot repos show 40% higher leak rates. Five paths credentials leak through AI agents, what Aguara's detection rules catch, and why static scanning alone isn't enough.
Anthropic created MCP, then shipped reference servers with path traversal, argument injection, SQL injection, and sandbox escapes. 9 CVEs analyzed, attack chains documented, and what Aguara detects.
Researchers at 4 universities formalize the agentic AI threat model with two supply chains and the Viral Agent Loop. Here is how Aguara's 153 detection rules map to every attack class they identified.
153 detection rules, 5 new file hardening guardrails, official MCP SDK migration across the stack, and Aguara Watch crosses 42,969 skills across 7 registries. One SDK, zero community forks.
OpenClaw's security team has shipped 40+ patches in weeks. But the skill ecosystem is still your responsibility. 7 practical security checks plus step-by-step Aguara integration for scanning skills, configs, and CI/CD.
Kali Linux officially integrates Claude Desktop via MCP to control nmap, metasploit, and hydra through natural language. If legitimate MCP servers give agents access to pentesting tools, imagine what a malicious one can do.
NIST's NCCoE published a concept paper on AI agent identity and authorization. Their 6 open questions map directly to what Aguara and the MCP ecosystem are building today. Here is the mapping.
How a single scanner became a full feedback loop: observatory crawling 42,655 skills, 4 rounds of FP reduction, and an MCP server that gives agents access to the entire cycle. The engineering story.
Docker Sandboxes isolate AI agents at runtime. But a sandboxed agent running malicious skills is still a compromised agent. What runtime isolation misses and why static analysis needs to come first.
MCP configuration files are the most dangerous files on developer machines. Hardcoded secrets, npx -y without version pins, Docker with --privileged, shell metacharacters in args. Seven risks with concrete fixes.
Every risk in the OWASP Top 10 for Agentic Applications mapped to specific Aguara detection rules. 173 rules across 13 categories covering all 10 OWASP risks with concrete examples from 40,000+ scanned skills.
Tool poisoning goes far beyond malicious descriptions. Every field the LLM processes is an injection point: parameter names, enum values, error messages, return values. A deep dive into the full attack surface.
A step-by-step methodology for auditing AI agent skill files. Hidden content, instruction overrides, credential patterns, external communications, and command execution — with detection examples for each.
Most MCP servers are installed via npx -y — auto-downloading and executing unverified code. Typosquatting, package takeover, dependency confusion, and postinstall scripts make this a supply chain nightmare.
40,000+ skills across 7 registries. 485 critical-severity findings. Prompt injection, credential leaks, supply chain attacks. The first large-scale security audit of AI agent ecosystems.
The architecture behind Aguara: three detection layers, 173 YAML rules, concurrent file scanning, and self-testing rules. A deep dive into building a static security scanner for a new attack surface.