Technical articles on AI agent security, threat research, and building open-source security tools.
The MCP ecosystem accumulated 30 CVEs in 60 days. We break down every vulnerability category, analyze the root causes, map them to Aguara detection rules, and show what the data tells us about AI agent security.
Original announcement of the GitHub Action on the Marketplace. Historical note: current install examples now pin both the action ref and the binary version: input — see the landing page for the current v0.18.2 syntax.
20 new detection rules across 8 categories. Confidence scoring (0.0–1.0) on every finding. Configurable --max-file-size. Atomic state writes. The largest single-release rule expansion in Aguara's history.
Schneier's framework reframes prompt injection as a 7-stage APT kill chain. 21 documented attacks traverse 4+ stages. Each stage mapped to real incidents, Aguara detection rules, MITRE ATLAS techniques, and defense strategy.
23.8M secrets leaked on GitHub in 2024. Copilot repos show 40% higher leak rates. Five paths credentials leak through AI agents, what Aguara's detection rules catch, and why static scanning alone isn't enough.
Anthropic created MCP, then shipped reference servers with path traversal, argument injection, SQL injection, and sandbox escapes. 9 CVEs analyzed, attack chains documented, and what Aguara detects.
Researchers at 4 universities formalize the agentic AI threat model with two supply chains and the Viral Agent Loop. Historical mapping note: rule counts in the article reflect the catalog at publication time.
Historical release note covering Aguara v0.4.0, the original MCP SDK migration, and the early state of the observatory dataset. Current release is v0.18.2; Watch is currently being reworked.
OpenClaw's security team has shipped 40+ patches in weeks. But the skill ecosystem is still your responsibility. 7 practical security checks plus step-by-step Aguara integration for scanning skills, configs, and CI/CD.
Kali Linux officially integrates Claude Desktop via MCP to control nmap, metasploit, and hydra through natural language. If legitimate MCP servers give agents access to pentesting tools, imagine what a malicious one can do.
NIST's NCCoE published a concept paper on AI agent identity and authorization. Their 6 open questions map directly to what Aguara and the MCP ecosystem are building today. Here is the mapping.
Historical engineering note about the original scanner, observatory, and MCP feedback loop. Watch is currently being reworked and figures in this article reflect that earlier dataset.
Docker Sandboxes isolate AI agents at runtime. But a sandboxed agent running malicious skills is still a compromised agent. What runtime isolation misses and why static analysis needs to come first.
MCP configuration files are the most dangerous files on developer machines. Hardcoded secrets, npx -y without version pins, Docker with --privileged, shell metacharacters in args. Seven risks with concrete fixes.
Every risk in the OWASP Top 10 for Agentic Applications mapped to specific Aguara detection rules. Rule counts and dataset figures inside the article reflect the catalog at publication time.
Tool poisoning goes far beyond malicious descriptions. Every field the LLM processes is an injection point: parameter names, enum values, error messages, return values. A deep dive into the full attack surface.
A step-by-step methodology for auditing AI agent skill files. Hidden content, instruction overrides, credential patterns, external communications, and command execution — with detection examples for each.
Most MCP servers are installed via npx -y — auto-downloading and executing unverified code. Typosquatting, package takeover, dependency confusion, and postinstall scripts make this a supply chain nightmare.
Historical research from the first large-scale audit of AI agent skill ecosystems. Skill counts, registry totals, and finding numbers in the article reflect the dataset at that point in time.
Historical engineering deep-dive into the architecture behind Aguara: detection layers, YAML rules, concurrent file scanning, and self-testing rules. Rule counts reflect the catalog at publication time.